India’s Smartphone Security Push: Privacy and Proprietary Tensions Rise as ITSAR Draft Faces Industry Pushback

A widening policy dispute is emerging between New Delhi and global smartphone makers over a proposed 83-point security framework that could reshape how devices are tested, updated and monitored in India.

The draft framework — referred to by stakeholders as the Indian Telecom Security Assurance Requirements (ITSAR) — remains in the consultation stage. However, industry bodies and digital rights groups have raised concerns that certain provisions could introduce unusual compliance burdens and create privacy risks if implemented in their current form.

The government has sought to cool tensions. Responding to recent media reports, the Ministry of Electronics and Information Technology (MeitY), through the government’s fact-check channel, stated on January 11, 2026 that claims suggesting India was mandating smartphone makers to share proprietary source code were “fake”, adding that consultations are ongoing and no final rules have been notified.

A market too big to ignore

India is one of the world’s largest smartphone markets and remains a critical growth engine for global handset brands.

Industry projections have estimated that India could reach around one billion smartphone users by 2026, a scale that makes security policy decisions commercially and geopolitically significant.

Officials argue that this scale also increases cybersecurity exposure, as India faces rising online fraud, data theft, and sophisticated digital attacks.

What ITSAR could change for phone makers

Industry stakeholders say draft requirements could force major engineering and operational changes for OEMs such as Apple, Samsung, Google and others.

Among the proposals cited by industry stakeholders are measures related to:

• device security architecture and hardening standards
• audit logging and device activity records
• malware scanning and permission controls
• requirements around software patch processes and certification

Some draft provisions also focus on improving user control — including proposals aligned with reducing unwanted pre-installed apps and strengthening consent around sensitive permissions such as microphone and camera access.

Industry concerns: log storage, update friction, and device performance

Even as the government disputes the “source code” framing, industry groups such as MAIT have raised objections to other elements of the draft, arguing they are difficult to implement at scale and could create user-side downsides.

Key concerns include:

1) Year-long log retention

Industry has flagged proposals that could require devices to retain security/audit logs for up to 12 months, arguing that:

• consumer devices may not have adequate storage headroom
• it could increase privacy risks if logs are misused or compromised
• implementation could raise cost and complexity for mass-market devices

2) Software update notification requirements

Stakeholders have also expressed concern about draft provisions requiring advance notification to authorities for certain updates, warning that:

• security patch timelines may slow during active threat scenarios
• “zero-day” fixes depend on rapid deployment
• delays could increase exposure to exploitation

3) Mandatory periodic malware scans

Engineers and privacy advocates argue that enforced scanning could:

• increase battery consumption
• reduce device performance
• raise questions around scanning scope, permissions and safeguards

Privacy groups warn against “infrastructure for oversight”

Civil liberties groups, including the Internet Freedom Foundation (IFF), have called for clear limits to prevent cybersecurity regulation from becoming a vehicle for overreach.

Rights advocates argue the debate extends beyond source code, and centers on whether proposed mechanisms could enable deeper monitoring of device activity if not carefully bounded by privacy safeguards and independent accountability.

Summary

India is drafting an 83-point smartphone security framework (ITSAR) aimed at raising cybersecurity standards in a fast-growing digital market. The government has denied claims that it is seeking proprietary source code from smartphone makers, stating such reports are false and consultations are ongoing. However, manufacturers and civil liberties groups remain concerned about other provisions—such as 12-month on-device log retention, requirements around software update notification, and mandatory periodic malware scans—arguing these could affect privacy, performance, and update speed.

Frequently asked questions (FAQs)

Q1: What is ITSAR?

ITSAR refers to proposed Indian Telecom Security Assurance Requirements, a draft set of security standards for devices sold in India, aimed at improving cybersecurity and device-level safeguards.

Q2: Did India demand smartphone source code access?

The government said no. On January 11, 2026, the official fact-check channel called such claims “fake” and stated consultations are still ongoing.

Q3: Why are phone makers concerned?

Industry groups have flagged feasibility and risk concerns around measures such as 12-month log retention, malware scanning, and requirements tied to update processes that could slow deployment of critical security patches.

Q4: How many users could be impacted?

Potentially the entire smartphone market. Industry projections estimate India could reach around one billion smartphone users by 2026, making any nationwide device standard highly impactful.

Q5: Will users be able to delete pre-installed apps?

One of the proposals cited by stakeholders includes allowing users to uninstall non-essential pre-loaded apps to increase user control, though final details would depend on the notified version of the framework.

Q6: What is the current status?

The framework is in the stakeholder consultation stage. No final notified regulation has been issued.