India wants smartphone makers to share source code for security
What's the story
The Indian government is mulling new security regulations for smartphones, including a proposal to make tech companies share their source code. The move has drawn criticism from industry giants such as Apple and Samsung. They argue that the proposed 83-point security standards package, which also includes notifying the government of major software updates, is unprecedented globally and could expose proprietary information.
Official statement
Government's response to industry concerns
IT Secretary S. Krishnan has said that "any legitimate concerns of the industry will be addressed with an open mind," adding it was "premature to read more into it." The plan is part of Prime Minister Narendra Modi's efforts to bolster user data security amid rising online fraud and data breaches in India, the world's second-largest smartphone market with nearly 750 million phones.
Regulation details
Proposed regulations include source code access and software changes
The proposed Indian Telecom Security Assurance Requirements include some of the most sensitive requirements, like access to source code. This is the underlying programming instructions that make phones work. The documents show this would be analyzed and possibly tested at designated Indian labs. The proposals also require companies to make software changes allowing pre-installed apps to be uninstalled and blocking apps from using cameras/microphones in the background "to avoid malicious usage."
Industry pushback
Industry concerns over global security requirements
The industry has raised concerns that no country has mandated such global security requirements. The standards, drafted in 2023, are now under consideration for legal enforcement. Smartphone makers are known to closely guard their source code. Apple had previously rejected China's request for source code between 2014 and 2016, while US law enforcement also failed in similar attempts.
Proposal specifics
Proposals for vulnerability analysis and source code review
The Indian proposals for "vulnerability analysis" and "source code review" would require smartphone makers to conduct a "complete security assessment." After this, test labs in India could verify their claims through source code review and analysis. MAIT, the Indian industry group representing these firms, said in a confidential document that such practices are not possible due to secrecy and privacy concerns.
Withdrawal request
MAIT requests withdrawal of government proposal
MAIT has asked the ministry to withdraw its proposal, a source with direct knowledge told Reuters. The Indian proposals would also require automatic and periodic malware scanning on phones. Device makers would have to inform the National Centre for Communication Security about major software updates and security patches before releasing them to users, and these updates could then be tested by this center.