Author: Munsif Vengattil and Aditya Kalra
NEW DELHI, Jan 11 (Reuters) – Here are the key security requirements India has imposed on smartphone makers such as Apple and Samsung, but which have faced pushback from technology companies, according to four sources and industry and government documents seen by Reuters.
Source code disclosure:
Manufacturers must test and provide proprietary source code for review by government-designated laboratories to identify vulnerabilities in the phone’s operating system that could be exploited by attackers.
Industry group MAIT, which represents Apple, South Korea’s Samsung, Google and China’s Xiaomi, told the government that this was “impossible” due to corporate secrecy and global privacy policies.
Background permission restrictions:
When the phone is inactive, apps cannot access the camera, microphone, or location services in the background. Requires persistent status bar notification when these permissions are active.
Manufacturers say this lacks any global precedent and no specific testing methods are specified.
Permission review reminder:
Devices must display periodic warnings prompting users to check all application permissions and provide ongoing notifications. The company said notifications should be limited to “highly critical” permissions.
Logs are retained for one year:
Devices must store security audit logs, including app installations and login attempts, for 12 months.
MAIT believes consumer phones lack the ability to store a year’s worth of data.
Regular malware scans:
Phones must be regularly scanned for malware and identify potentially harmful applications.
The manufacturer warns that constant device scanning can significantly drain battery power and reduce hardware performance.
Option to remove pre-installed apps:
All preinstalled applications bundled with the phone’s operating system must be removable, except for those necessary for basic phone functionality.
The company considers many applications to be critical system components that cannot be removed.
Notify the government of major updates:
Phone manufacturers must notify government organizations before releasing any major updates or security patches.
Manufacturers consider this “impractical” because security fixes must be released quickly to protect users from active attacks, and government delays could leave users vulnerable to attack.
Tamper detection warning:
The device must detect whether the phone has been rooted or “jailbroken” (the user has bypassed built-in security restrictions) and display a continuous warning banner to recommend corrective action.
The company says there is no reliable mechanism to detect jailbreaks.
Anti-rollback protection:
Phones must permanently block the installation of older software versions, even those officially signed by the manufacturer, to prevent security degradation.
The manufacturer states that there is no global standard related to this requirement.
(Reporting by Munsif Vengattil and Aditya Kalra; Editing by William Mallard)
