Context:
The Government of India is considering new smartphone security standards under the Indian Telecom Security Assurance Requirements (ITSAR)—a framework of security controls aimed at safeguarding mobile users against rising cybercrime, data breaches, and online fraud. These proposals are part of broader efforts to strengthen digital security and data sovereignty in a country that hosts one of the world’s largest smartphone markets.
Background:
-
-
- India, the world’s second-largest smartphone market, with nearly 750 million users, faces growing risks from cyberattacks, spyware, and data vulnerabilities. ITSAR aligns with the government’s wider focus on national cybersecurity and data protection, following earlier debates on mandatory cyber-safety applications and testing norms for connected devices such as security cameras and IoT equipment.
- Global smartphone manufacturers—including Apple, Samsung, Google, and Xiaomi—have expressed strong concerns. They argue that several ITSAR provisions lack international precedent and could compromise proprietary technologies and intellectual property.
- India, the world’s second-largest smartphone market, with nearly 750 million users, faces growing risks from cyberattacks, spyware, and data vulnerabilities. ITSAR aligns with the government’s wider focus on national cybersecurity and data protection, following earlier debates on mandatory cyber-safety applications and testing norms for connected devices such as security cameras and IoT equipment.
-
Key Features of the Proposed Security Standards:
-
-
- Source Code Access and Vulnerability Testing
- One of the most contentious proposals is the potential requirement for smartphone manufacturers to share proprietary source code with designated laboratories for vulnerability analysis. Draft provisions suggest that source code would be reviewed to identify backdoors and systemic weaknesses. Industry stakeholders contend that such requirements lack global precedent and pose serious risks to corporate secrecy and innovation.
- One of the most contentious proposals is the potential requirement for smartphone manufacturers to share proprietary source code with designated laboratories for vulnerability analysis. Draft provisions suggest that source code would be reviewed to identify backdoors and systemic weaknesses. Industry stakeholders contend that such requirements lack global precedent and pose serious risks to corporate secrecy and innovation.
- Software and Privacy Controls
- Other notable proposals include:
- Uninstallable default applications: Non-essential pre-installed apps should be removable by users.
- Background permission restrictions: Applications should be restricted from accessing the camera, microphone, or location data while running in the background.
- Automatic malware scanning: Mandatory periodic scans to detect malicious software.
- Software update notifications: Manufacturers must inform the National Centre for Communication Security prior to releasing major software updates.
- Long-term log retention: Devices must store security logs—such as app installations and login attempts—for up to one year.
- Uninstallable default applications: Non-essential pre-installed apps should be removable by users.
- Other notable proposals include:
- Source Code Access and Vulnerability Testing
-
Challenges and the Way Ahead:
-
-
- Data Security vs. Proprietary Rights: Mandatory source code disclosure risks exposing trade secrets. A risk-based, targeted regulatory approach may be more appropriate.
- Lack of Global Precedent: Several ITSAR provisions have no equivalent in the EU, North America, or OECD countries, raising concerns about regulatory overreach.
- Ease of Doing Business: High compliance costs could deter foreign investment and manufacturing; time-bound and transparent approval mechanisms are essential.
- Operational Practicality: Battery life, storage capacity, and device performance constraints must be considered. Independent third-party audits could offer a viable alternative to intrusive controls.
- Innovation and R&D: Excessive regulation risks stifling innovation. A careful balance is required between national security, user privacy, and technological progress.
- Data Security vs. Proprietary Rights: Mandatory source code disclosure risks exposing trade secrets. A risk-based, targeted regulatory approach may be more appropriate.
-
Conclusion:
The ITSAR initiative highlights India’s determination to strengthen smartphone security in an increasingly digital society. However, translating draft proposals into enforceable norms will require a consultative, proportionate, and globally aligned approach. Safeguarding user interests, preserving industry innovation, and addressing national security concerns must proceed in tandem. Sustained engagement with industry stakeholders, cybersecurity experts, and civil society will be crucial to shaping a balanced and effective regulatory framework.
