A highly controversial directive requiring smartphone makers to put a national security app on all new devices has been withdrawn by the Indian government, after opposition parties and privacy advocates labeled it a “snooping app” and compared it to the Pegasus spyware sold by Israeli manufacturer NSO Group.
The incident even more closely resembled the UK government’s early 2025 order to Apple to install a universal backdoor in its cloud storage, in that it was issued in secret last month and had to be leaked to newspapers to come to public attention. But the Indian government says that though the security app would have been mandatory for smartphone makers to install and to ensure certain functions could not be disabled, it would not have been forbidden for the end user to simply uninstall it.
“Sanchar Sathi” security app not intended for snooping, Indian government claims
The backpedal on the security app came just days after the news was leaked to the press, causing an immediate outcry from privacy advocates and political opposition to the Narendra Modi-led ruling Bharatiya Janata Party (BJP). The “Sanchar Saathi” (“Communication Partner”) app is already available in app stores and has around 10 million voluntary downloads, offering a variety of cybersecurity functions such as the ability to directly report suspected fraud and block lost or stolen devices. But the secret order, issued in late November, would have made it a mandatory inclusion on all new devices from smartphone makers within 90 days. Smartphone makers would have also been required to push it to older devices that are still supported via a security update.
The national Ministry of Communications responded to the outcry by issuing a statement on December 3 indicating the security app would not be forced on smartphone makers, but that had it gone forward it would have required opt-in activation by the end user and that they also would have been able to delete it. This conflicts with information from the leak which indicated that the order told smartphone makers that key app features could not be disabled or restricted by the user. Given only about 10 million voluntary installations to date in a country with over half a billion estimated smartphone users, there did not appear to be a great deal of public interest in voluntary use of the security app. However, the government claims that there have been six hundred thousand new voluntary downloads this week alone.
The privacy policy of the security app asks Android users for access to call logs, photos and the phone camera, as well as permission to make and manage phone calls. iOS users are asked for access to the camera as well as stored photos and files.
Secret order to smartphone makers recalls UK controversy
The incident recalled one from the UK that took place early in 2025, as the UK government leveraged the powers of the Investigatory Powers Act 2016 to issue a similar secret order to Apple. That order would have required the company to compromise its iCloud backup system with a universal backdoor accessible to UK intelligence and law enforcement agencies. That order also barred the company from notifying the public about the change, prompting leaks to media outlets. Shortly after the leaks, Apple disabled the “Advanced Data Protection” feature entirely in the UK. The government reportedly scuttled the order in August, but privacy groups say a new secret order was issued in October that makes the backdoor mandatory only for users in the UK.
Reuters quoted anonymous sources indicating that Apple also did not intend to comply with the Indian government’s order and would have cited the creation of security vulnerabilities as the reason. Other smartphone makers were said to be reviewing the feasibility of the order, but had no comment.
Though a number of more authoritarian countries have been criticized for their monitoring of apps, there is no real direct precedent for a national government mandating that a security app be preinstalled on phones. The closest comparison would be an order from the Russian government three months ago requiring smartphone makers to add the “MAX” app to their devices, a state-backed messenger in the style of WhatsApp. The Indian government has previously made some apps available that store and verify identity documents and biometrics (such as DigiLocker and DigiYatra), but these are optional and pitched as being for convenience while traveling or accessing government benefits.
Concerns among privacy advocates are not even necessarily what the government might do right now with the security app, but how it might be abused or even repurposed in the future. The country has long struggled with corruption among lower-level employees working in its Aadhar identification system, and even longer and more entrenched problems with bribery amongst regional law enforcement agencies.
Michael Bell, CEO at Suzu Labs, notes that this situation makes transparency about such programs extremely important: “The problem with India’s approach wasn’t the goal of improving mobile security, it was the implementation: closed-source code, root-level access, no independent audit, and no user control. If the goal is mandatory security that doesn’t become surveillance, the framework needs to be transparent (open-source, publicly auditable), minimal (only the permissions absolutely necessary), and accountable (independent oversight, clear data access logs). The EU’s approach with GDPR and the upcoming Cyber Resilience Act comes closest to getting this right: they mandate security outcomes and transparency requirements on vendors rather than installing government software on every device, which keeps the trust relationship between users and their hardware intact. The honest answer is that perfect security and perfect privacy are fundamentally in tension, and any system that claims otherwise is lying. What we can do is shift the burden: instead of governments monitoring citizens, require device manufacturers and app developers to meet security baselines, mandate transparency about data collection, and give users genuine control. The US hasn’t gotten this right at scale, though California’s CCPA and some state-level IoT security laws are moving in the right direction by regulating the ecosystem rather than surveilling the endpoint.”
George McGregor, VP at Approov, adds: “Security isn’t based in who publishes an app, but from how that app proves its integrity and behavior. Government apps need to be held to the same standard of provable security and transparency as any other apps. Without strong safeguards like runtime attestation and Zero Trust principles, mandatory apps risk becoming new vectors for abuse, surveillance, or exploitation — even if well-intentioned.”
Ted Miracco, CEO at Approov, suggests that alternatives for accomplishing the legitimate stated goals of the security app might be accomplished better through trusted third parties rather than mandates issued to smartphone makers: “True security cannot reside in the operating system alone because the OS can be compromised. It must be anchored in silicon, and the tech giants do facilitate security via the Secure Enclave (Apple), the Titan M2 chip (Google) and Knox Vault (from Samsung). These are separate microcomputers inside your phone with their own processor and memory that store your biometric data and encryption keys. We must ensure apps use these hardware APIs to generate keys that never leave the secure chip, and this data cannot be shared with governments, which was the overreach by the Indian government with the Sanchar Saathi app that has unfettered access to device level APIs. To roll back Big Tech without empowering “Big Brother,” we must decouple service from surveillance using both laws and source code. The legal lever involves enforcing an “Information Fiduciary” standard, which legally obligates tech companies to act in your best interest by banning them from exploiting your data for profit and effectively neutralizing their exploitative business models. The technical lever involves Self-Sovereign Identity (SSI) and Zero-Knowledge Proofs (ZKP), which ensure that while these fiduciaries can verify you are a citizen or over 18, they technically never possess your raw identity data; this means that when a government issues a subpoena or demands mass surveillance, the tech giants have no central database to hand over because the keys remain exclusively on your mobile device in the secure silicon enclave. While the EU’s GDPR focuses on protecting data, the DGA (passed in 2022) focuses on restructuring who holds it – creating a regulated class of “Data Intermediaries”, as neutral third parties that legally cannot use your data for their own profit like selling ads. Instead of you fighting Facebook alone, you join a “Data Cooperative” or “Data Union” where the union holds your data in a vault and if a company wants to target you with ads, they must negotiate with your union, which can demand a fee or strict privacy guarantees. Hence, the mobile app never “owns” the data, but they can license access to it temporarily.”
