India is proposing a sweeping set of new smartphone security requirements that have alarmed major global technology companies, according to four sources as well as industry and government documents reviewed by Reuters. The draft rules, aimed at strengthening device-level security, would apply to manufacturers including Apple, Samsung, Google and Xiaomi, and have triggered pushback from the industry.
One of the most contentious provisions is source code disclosure. Manufacturers would be required to submit proprietary operating system source code to government-designated laboratories for testing, to identify vulnerabilities that could be exploited by attackers. Industry body MAIT, which represents many of the affected firms, has told the government this demand is “not possible” due to corporate secrecy obligations and global privacy policies.
The proposals also include strict background permission restrictions, barring apps from accessing cameras, microphones or location services when phones are inactive, and mandating continuous status bar notifications when such permissions are in use. Companies argue there is no global precedent for this and that no clear testing methodology has been defined.
Under permission review alerts, devices would need to regularly prompt users to review all app permissions through persistent warnings. Manufacturers say such alerts should be limited only to highly critical permissions to avoid user fatigue.
Another requirement would mandate one-year log retention, forcing devices to store security audit logs — such as app installations and login attempts — for 12 months. MAIT argues that most consumer smartphones lack sufficient storage capacity to retain that volume of data.
The draft rules would also require periodic malware scanning on devices. Manufacturers warn that constant on-device scanning would significantly drain battery life and degrade hardware performance.
India is also proposing an option to remove pre-installed apps, requiring that all bundled apps — except those essential for basic phone functionality — be deletable. Companies counter that many pre-installed apps are tightly integrated system components and cannot be safely removed.
Under another clause, manufacturers would need to inform the government before releasing major updates or security patches. Tech firms say this is impractical, as security fixes often need to be deployed immediately to protect users from active exploits, and any regulatory delay could increase risk.
The rules further call for tamper-detection warnings, requiring phones to detect if devices have been rooted or jailbroken and to display continuous warning banners. Manufacturers argue there is no reliable, universal method to detect jailbreaking.
Finally, the proposal includes anti-rollback protection, which would permanently block installation of older software versions — even if officially signed — to prevent security downgrades. Companies say there is no global standard that supports such a requirement.
Together, the measures mark one of India’s most ambitious attempts to regulate smartphone security, but industry groups warn they could disrupt global device design, slow security updates and conflict with international standards if implemented in their current form.
