India’s plan to demand access to the tightly guarded source code that runs hundreds of millions of smartphones has sent a chill through the world’s biggest tech companies, who see it as one of the most intrusive security overhauls ever floated in a major market.
The draft rules, reported in detail over the weekend, land at a time when New Delhi is under pressure to curb online fraud and data breaches in a country where nearly 750 million people now carry smartphones. They have already drawn sharp resistance from Apple, Samsung, Google and Xiaomi, which warn that the move could expose intellectual property, slow software updates and ultimately push up prices for Indian consumers.
“This is not possible … due to secrecy and privacy,”
the Manufacturers’ Association for Information Technology (MAIT), which represents many of the affected companies, told officials in a confidential submission.
A sweeping new security rulebook
The proposals sit inside a broader framework known as the Telecom Security Assurance Requirements, an 83‑point checklist that would remake how phones are built and tested for the Indian market.
The most contentious plank is a requirement that manufacturers run tests on their proprietary source code and then submit that code to government‑approved labs for vulnerability checks. For companies that treat their operating systems as crown jewels, it would give the state an unprecedented look at the software that controls modern smartphones.
The draft goes further. Before shipping major updates or security patches, firms would have to notify the National Centre for Communication Security, which could test those updates first. Phones would need to conduct regular automatic malware scans and store detailed system logs locally for at least a year.
On the user side, New Delhi wants all pre‑installed apps to be removable, and it wants background access to cameras and microphones cut off when devices are idle — a nod to long‑running anxieties about covert surveillance by apps and foreign governments.
Officials say these measures are overdue in a market that has become central to the global ambitions of Apple and its Asian rivals. IT secretary S. Krishnan has said the government is open to feedback and called it premature to overinterpret the draft, stressing that industry concerns will be heard.
Industry warns India risks becoming an outlier
Behind the scenes, executives describe a rulebook that would put India in a category of its own among large economies.
“Major countries in the EU, North America, Australia and Africa do not mandate these requirements,”
MAIT told the government, arguing that any obligation to share source code would upend decades of corporate secrecy and cut across global privacy commitments.
A senior executive at a large Android handset maker, who asked not to be named because talks with the government are still underway, put it more bluntly.
“The proposal essentially asks us to open the safe and hand over the blueprints,”
the person said.
“If a single line of that code leaks, we lose our competitive edge overnight. You cannot put that genie back in the bottle.”
MAIT has also raised practical concerns. Continuous malware scanning, it says, will sap battery life and hurt performance. Forcing companies to seek clearance before rolling out security fixes is seen as unworkable when patches often need to go out within hours of a new exploit. Storing a year’s worth of system logs on devices, the group argues, simply isn’t realistic for many low‑cost models sold in India’s price‑sensitive market.
After an app backlash, a new flashpoint
The flare‑up over source code comes barely a month after the Modi government abruptly withdrew an order that would have forced all smartphones sold in India to ship with a state‑run cyber safety app, Sanchar Saathi, pre‑installed.
That earlier directive drew heavy fire from privacy advocates and opposition politicians, who compared the app to a mass surveillance tool. Communications Minister Jyotiraditya Scindia defended the rollout at the time, insisting the app was voluntary and could be deleted, even as leaked instructions to manufacturers suggested they were expected to preload it.
The reversal did little to calm fears in the tech industry that New Delhi is pushing the boundaries of direct control over consumer devices. To many executives, the new source‑code proposal looks like the logical next step.
“India clearly wants stronger defences against fraud and cyber attacks,”
said one cybersecurity entrepreneur in Bengaluru.
“But when the state asks for the master key to every lock in the house, people will wonder who is watching the locksmith.”
Billions at stake in India’s ‘China+1’ bet
The debate is about more than cybersecurity and software architecture. India has spent years pitching itself as a “China+1” alternative for global manufacturing, offering incentives to contract assemblers like Foxconn and Pegatron and urging Apple and others to build both for export and for the home market.
Chinese brands such as Xiaomi and South Korea’s Samsung together account for more than a third of Indian smartphone sales, while Apple has been expanding its footprint in the premium segment and leaning on India as a key production base.
Any rule that raises compliance costs or complicates global product roadmaps will ripple across that ecosystem — through factories, supply chains and retail networks. Industry officials say that if engineering and testing costs rise, those pressures are likely to be passed on to Indian buyers, especially in the mid‑range and budget tiers that dominate the market.
So far, the reaction in financial markets has been restrained. Analysts have not yet made major changes to earnings forecasts, and no big manufacturer has updated its formal guidance in direct response to the draft. In private, however, the tone is cautious.
“Global investors hate uncertainty, and this creates a lot of it,”
said a Mumbai‑based portfolio manager who holds stakes in several consumer‑tech companies.
“If the rules harden in this form, they will reprice India risk, not just for phones but for anything with sensitive code.”
A tug of war with few precedents
Government officials say consultations are continuing, with ministry representatives and company executives due to meet again in the coming days to work through the details.
Both sides know there is no straightforward template. Apple has pushed back against similar demands in China, and in the United States, authorities have repeatedly failed to secure full access to core iOS code through the courts. That history underlies MAIT’s firm stance in Delhi.
The group is urging the government to drop the source‑code and log‑storage provisions entirely and instead consider less intrusive regimes, such as audits that rely on limited disclosures and independent third‑party testing.
Civil society organisations, energised by the fight over Sanchar Saathi, are expected to weigh in if the draft edges closer to becoming law. Their concerns go beyond corporate trade secrets to the risk that deep access to system software could expand the state’s surveillance powers over time.
For now, the proposal sits in a familiar Indian limbo: tough language on paper, quiet lobbying in Delhi conference rooms and little clarity on when, or in what form, the rules might actually bite.
If New Delhi ultimately concludes that security demands a view under the hood of every smartphone sold in the country, the world’s biggest tech firms will face a stark decision on how much of their code — and how much of their capital — they are prepared to leave on the table.
