India’s proposed phone security rules that are worrying tech firms
Sign up now: Get insights on Asia's fast-moving developments
Apps cannot access cameras, microphones or location services in the background when phones are inactive.
PHOTO ILLUSTRATION: PIXABAY
Follow topic:
NEW DELHI - These are key security requirements India is proposing for smartphone makers like Apple and Samsung, prompting opposition from tech companies, according to four sources, as well as industry and government documents seen by Reuters.
Source code disclosure
Manufacturers must test and provide proprietary source code for review by government-designated labs to identify vulnerabilities in phone operating systems that could be exploited by attackers.
Industry group MAIT, which represents Apple, South Korea’s Samsung, Google, China’s Xiaomi, has told the government this is “not possible” due to corporate secrecy and global privacy policies.
Background permissions restrictions
Apps cannot access cameras, microphones or location services in the background when phones are inactive. Continuous status bar notifications are required when these permissions are active.
Manufacturers say this lacks any global precedent and there is no specific test method prescribed.
Permission review alerts
Devices must periodically display warnings prompting users to review all app permissions, with continuous notifications. Companies say notice should be limited to “highly critical” permissions.
One-year login retention
Devices must store security audit logs, including app installations and login attempts, for 12 months.
MAIT argues consumer phones lack the storage capacity for a year of data.
Periodic malware scanning
Phones must periodically scan for malware and identify potentially harmful applications.
Manufacturers warn that constant on-device scanning significantly drains the battery and slows hardware performance.
Option to remove pre-installed apps
All pre-installed apps bundled with the phone operating system, except those essential for basic phone functions, must be deletable.
Companies argue many apps are critical system components that cannot be removed.
Informing government of major updates
Phone makers must notify a government organisation before releasing any major updates or security patches.
Manufacturers argue this is “impractical” because security fixes must be released quickly to protect users from active exploits, while government delays could leave users vulnerable.
Tamper-detection warnings
Devices must detect if phones have been rooted or “jailbroken”, where users bypass built-in security restrictions, and display continuous warning banners to recommend corrective measures.
Companies say there is no reliable mechanism to detect jailbreaking.
Anti-rollback protection
Phones must permanently block installation of older software versions, even if officially signed by the manufacturer, to prevent security downgrades.
There is no global standard related to this requirement, manufacturers say. REUTERS
