India is proposing sweeping new smartphone security rules that would require device makers to share proprietary source code with government-designated laboratories, triggering strong pushback from global technology companies including Apple, Samsung, Google and Xiaomi, according to people familiar with the matter and confidential documents reviewed by Reuters.
The proposal is part of a broader package of 83 security standards under consideration by the Indian government as it seeks to strengthen protection of user data amid rising online fraud and cyber breaches in the world’s second-largest smartphone market, which has nearly 750 million devices. The initiative aligns with Prime Minister Narendra Modi’s push to tighten digital security frameworks.
Beyond source code disclosure, the draft rules would require smartphone makers to notify the government ahead of major software updates, allow users to uninstall most pre-installed apps, restrict background access to cameras and microphones, mandate periodic malware scans, and store detailed system logs on devices for at least 12 months.
India’s IT Secretary S. Krishnan said on Saturday that the government would approach industry feedback “with an open mind,” adding that it was “premature to read more into it.” The Ministry of Electronics and Information Technology later said consultations were ongoing to build a “robust regulatory framework for mobile security,” and insisted it was not seeking source code — without directly addressing the documents cited by Reuters.
Industry representatives dispute that position. The Indian technology lobby group MAIT, which represents Apple, Samsung, Google and Xiaomi, said in a confidential response that source code review and vulnerability analysis were “not possible” due to corporate secrecy and global privacy policies. The group argued that no major market — including the EU, North America or Australia — imposes such requirements.
Smartphone makers also warned that mandatory malware scanning could drain battery life, while government pre-clearance of security patches could delay urgent fixes. MAIT added that consumer devices lack sufficient storage capacity to retain a full year of system logs.
The standards, first drafted in 2023, are now under closer scrutiny as India considers giving them legal force. Government officials and executives from major tech firms are expected to meet again this week as the tug of war over the proposed rules continues.
