MeitY Fact-Checks Report Stating Mandate for Smartphone Makers to Share Software Secrets

The Indian government is reportedly considering a comprehensive set of mobile security rules that would significantly expand government oversight of smartphone software, triggering pushback from major device makers who warn that the proposals could expose proprietary systems and delay critical updates. A Reuters report has claimed the draft framework, described as “Indian Telecom Security Assurance Requirements, ”includes dozens of technical standards that could affect how iPhones and Android phones are built, updated, and tested in India. However, the government has rejected the report, saying it is “fake.”

What the report says

Reuters has reported that government officials are considering a package of 83 security standards that would require smartphone makers to implement multiple software-level changes aimed at reducing fraud, spyware abuse, and data breaches in India’s massive smartphone market, which is estimated at nearly 750 million devices.  

Among the more significant provisions are requirements that phones support the uninstallation of pre-installed apps and that operating systems allow tighter controls to prevent apps from accessing the camera and microphone in the background, thereby stopping “malicious usage.” The draft standards also include mandatory and periodic malware scanning on devices, and a requirement that system logs be stored on-device for at least 12 months.

One of the most sensitive elements is the proposal for “source code review” and “vulnerability analysis,” which, according to the described documents, could allow designated Indian labs to analyse and possibly test smartphone source code.

Industry representatives argue this has no global precedent at the scale suggested and could risk revealing proprietary implementation details that companies closely guard. The concerns are amplified because source code access has been resisted elsewhere, too, including past attempts by other governments and law enforcement to obtain it.

Another major flashpoint is a requirement for companies to notify India’s National Centre for Communication Security about major software updates and security patches before releasing them, along with giving the agency the right to test those updates. Companies and industry groups contend that security patches often need rapid deployment, and a pre-notification/testing workflow could slow response times during active exploit cycles. The proposal set is being discussed as the government considers giving these standards legal force, and further meetings between officials and tech executives are expected.  

Industry pushback: feasibility, battery, and storage

The Indian industry group MAIT is described as objecting that “source code review” and deeper “vulnerability analysis” are not feasible “due to secrecy and privacy,” and has asked for portions of the proposal to be dropped. According to the report, MAIT also argues that routine malware scanning could materially impact battery life, and that storing a full year of device logs may be unrealistic because of on-device storage constraints. Major OEMs and platform players mentioned in the discussions include Apple, Samsung, Google, and Xiaomi, with Xiaomi and Samsung holding large India market shares and Apple a smaller share, based on Counterpoint estimates cited in the provided material.  

Government response and the policy context

The government has rejected that claim. In a PIB Fact Check post, the government said the allegation is fake and that it has not proposed any measure to compel smartphone manufacturers to share their source code.

The Ministry of Electronics and Information Technology (MeitY) said it has begun stakeholder consultations to develop an “appropriate” regulatory framework for mobile security, describing these as routine discussions with industry when safety or security standards are being considered. MeitY added that no final regulations have been framed yet, and any future framework will be created only after due consultations

Read more: Meta Turns to Nuclear Energy to Feed Its AI Data Centres, Signs Three Nuclear Power Deals