NEW DELHI, Jan 11 (Reuters) – Below are key security requirements India is proposing for smartphone makers like Apple and Samsung, prompting opposition from tech companies, according to four sources, as well as industry and government documents seen by Reuters.

SOURCE CODE DISCLOSURE:

Sign up here.

Manufacturers must test and provide proprietary source code for review by government-designated labs to identify vulnerabilities in phone operating systems that could be exploited by attackers.

Industry group MAIT, which represents Apple (AAPL.O), opens new tab, South Korea’s Samsung (005930.KS), opens new tab, Google (GOOGL.O), opens new tab, China’s Xiaomi (1810.HK), opens new tab, has told the government this is “not possible” due to corporate secrecy and global privacy policies.

BACKGROUND PERMISSION RESTRICTIONS:

Apps cannot access cameras, microphones or location services in the background when phones are inactive. Continuous status bar notifications are required when these permissions are active.

Manufacturers say this lacks any global precedent and there is no specific test method prescribed.

PERMISSION REVIEW ALERTS:

Devices must periodically display warnings prompting users to review all app permissions, with continuous notifications. Companies say notice should be limited to “highly critical” permissions.

ONE-YEAR LOG RETENTION:

Devices must store security audit logs, including app installations and login attempts, for 12 months.

MAIT argues consumer phones lack the storage capacity for a year of data.

PERIODIC MALWARE SCANNING:

Phones must periodically scan for malware and identify potentially harmful applications.

Manufacturers warn that constant on-device scanning significantly drains the battery and slows hardware performance.

OPTION TO REMOVE PRE-INSTALLED APPS:

All pre-installed apps bundled with the phone operating system, except those essential for basic phone functions, must be deletable.

Companies argue many apps are critical system components that cannot be removed.

INFORMING GOVERNMENT OF MAJOR UPDATES:

Phone makers must notify a government organisation before releasing any major updates or security patches.

Manufacturers argue this is “impractical” because security fixes must be released quickly to protect users from active exploits, while government delays could leave users vulnerable.

TAMPER-DETECTION WARNINGS:

Devices must detect if phones have been rooted or “jailbroken”, where users bypass built-in security restrictions, and display continuous warning banners to recommend corrective measures.

Companies say there is no reliable mechanism to detect jailbreaking.

ANTI-ROLLBACK PROTECTION:

Phones must permanently block installation of older software versions, even if officially signed by the manufacturer, to prevent security downgrades.

There is no global standard related to this requirement, manufacturers say.

Reporting by Munsif Vengattil and Aditya Kalra; Editing by William Mallard

Our Standards: The Thomson Reuters Trust Principles., opens new tab

Purchase Licensing Rights

Based in Bengaluru, Munsif Vengattil leads Reuters’ technology news coverage in India. He tracks themes at the intersection of tech, business, and labor.
A reporter for nine years, Munsif has written extensively on India’s electronics manufacturing aspirations and its tech policy space, AI and election interference, satellite internet, streaming wars, and data breaches. His stories also focus on investigating corporate strategies and revealing India-specific initiatives and challenges of the biggest of tech firms – from Apple, Facebook, and Google, to Foxconn, Samsung, and Nvidia.

Aditya Kalra is the Company News Editor for Reuters in India, overseeing business coverage and reporting stories on some of the world’s biggest companies. He joined Reuters in 2008 and has in recent years written stories on challenges and strategies of a wide array of companies — from Amazon, Google and Walmart to Xiaomi, Starbucks and Reliance. He also extensively works on deeply-reported and investigative business stories.