India mandates pre-installed cybersecurity app on smartphones, sparking privacy debate

India has ordered all smartphone manufacturers to pre-install a state-run cybersecurity application, Sanchar Saathi, on devices sold or imported into the country, a move that has triggered a wave of criticism over privacy rights and digital autonomy.

Announced on 2 December 2025, the directive gives companies 90 days to comply. All devices must come with the app pre-installed, clearly visible, and fully functional during setup. The app cannot be removed or disabled by users.

The app—launched in January—allows users to block or track lost or stolen phones, check a device's IMEI number, and detect fake mobile connections.

According to figures cited by Reuters, Sanchar Saathi has helped trace more than 700,000 phones, including over 50,000 in October 2025. Broader government data claims more than 2.6 million devices have been identified since the platform's introduction.

India’s Department of Telecommunications (DoT) stated that mobile handsets with duplicate or spoofed IMEI numbers present a serious risk to telecom cybersecurity. It cited the prevalence of second-hand device sales and blacklisted phones as key concerns.

Manufacturers must also attempt to push the app via software updates to unsold devices already in circulation, and must submit compliance reports within 120 days.

Privacy groups challenge legality and proportionality

The move has provoked sharp criticism from digital rights groups, cybersecurity experts, and opposition politicians, many of whom argue the directive opens the door to state surveillance without legal safeguards.

The Internet Freedom Foundation (IFF) issued a detailed statement warning that the directive represented a “deeply worrying expansion of executive control over personal digital devices”.

The IFF said the directive, issued under the Telecommunications (Telecom Cyber Security) Rules, 2024, mandates the permanent installation of a government app with no option for users to refuse or remove it—transforming smartphones into vessels for state software.

Clause 7(b) of the directive requires the app to be “readily visible” and ensures “its functionalities are not disabled or restricted.” According to IFF, this effectively grants system-level access, weakening standard protections that prevent apps from accessing other apps' data.

It warned of function creep, noting that while the app currently performs IMEI verification, future updates could allow it to scan for banned apps, monitor VPN use, or access private data—all without user consent or parliamentary oversight.

Quoting India’s landmark K.S. Puttaswamy (2017) privacy ruling, IFF argued the order fails the constitutional proportionality test. Less intrusive tools already exist—such as SMS-based verification and the Sanchar Saathi web portal—which do not require permanent installation.

“This is a textbook example of disproportionate state action under the Puttaswamy standard,” the group said.

IFF has filed a Right to Information (RTI) request for the full order and its justification and indicated it may pursue legal action.

Public alarm has also grown in response to a widely shared screenshot posted by a user on X (formerly Twitter), showing the extensive permissions requested by Sanchar Saathi version 1.5.0.

The user described the directive as: “Outrageous! Wake up INDIA! The Govt’s Sanchar Saathi app mandate is a blatant assault on our privacy & freedom... under the guise of ‘safety’, the government will potentially have the power to spy on our calls, texts & location. This is surveillance at its worst.”

The screenshot reveals that the app may request access to a range of sensitive features and data, including:

• Camera (to take pictures and videos)

• Call logs and phone identity status

• SMS (send and read text messages)

• Storage (read, modify, or delete contents)

• Network and startup behaviour (including run at startup, view connections)

• Other functions such as controlling vibration, using the flashlight, and preventing the phone from sleeping

While the app notes that permissions can be disabled manually, it also states that future updates may automatically add capabilities within each group. Privacy advocates warn that such access, combined with a lack of legal oversight, could enable persistent and unregulated monitoring.

Technology experts raise design and compliance concerns

Technology analysts have raised concerns about how the app operates and how manufacturers will comply.

Prasanto K Roy, a veteran tech commentator, told the BBC the app demands an unusually high level of permissions, ranging from access to the flashlight and camera to potentially sensitive user data. “We can’t see exactly what it’s doing, but we can see that it’s asking for a great deal of permissions,” he said.

On Google’s Play Store, Sanchar Saathi claims it does not collect or share any personal data. However, privacy experts say the lack of transparency on its backend operations leaves users with no way to verify that claim.

The directive also clashes with global corporate policies. Apple, which holds 4.5% of India’s estimated 735 million smartphones, has historically rejected pre-installation of government or third-party apps. According to Counterpoint Research, Apple has not commented publicly but intends to express its concerns to Indian authorities.

“Most companies prohibit installation of any government or third-party app before the sale of a smartphone,” said Tarun Pathak, research director at Counterpoint.

Opposition calls for rollback, citing constitutional rights

Political opposition to the order has also grown. The Congress party demanded an immediate withdrawal, calling the directive unconstitutional. “Big Brother cannot watch us,” said KC Venugopal on X.

 

“A pre-loaded government app that cannot be uninstalled is a dystopian tool to monitor every Indian.”

Opposition leaders argue the app could eventually be used to monitor movement, track online activity, or access communications—without user knowledge or independent oversight.

Comparisons drawn to other countries’ surveillance policies

India’s policy mirrors similar initiatives in other countries. In August 2025, Russia required all smartphones and tablets to come pre-installed with MAX, a state-run messaging app. That move was similarly criticised by rights groups as a potential surveillance mechanism.

While India’s government insists Sanchar Saathi is aimed at protecting consumers from fraud, critics argue that without strong legal safeguards and opt-out mechanisms, the tool may erode the fundamental right to privacy in one of the world’s largest mobile markets.