IT Brief India - Technology news for CIOs & IT decision-makers
India

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Indian city smartphone app icon dissolving privacy relief scene
#
Data Protection
#
Surveillance
#
Encryption

India drops mandatory Sanchar Saathi app on smartphones

Wed, 17th Dec 2025
Author image
By Kaleah Salmon, News Editor

India has reversed a directive that required smartphone makers, including Apple and Samsung, to pre-install a government-developed security and surveillance app on all new handsets.

The Ministry of Communications removed the obligation to ship devices with the Sanchar Saathi app. The app forms part of a national programme that tracks lost and stolen phones and monitors mobile connections linked to citizens' identity documents.

The move has drawn a reaction from mobile security specialists, who warned that mandatory government apps pose risks to privacy and device security.

Ted Miracco, Chief Executive of mobile app security firm Approov, said the episode underlined a broader struggle between regulators and large technology platforms. "With most of us living and working on our mobile devices, the challenge is not just balancing security and privacy, but also balancing control of the private information between the tech giants as 'gatekeepers' and government regulators, who often lack the expertise or execution to keep up with the pace of technological changes," said Miracco.

Sanchar Saathi runs deep within the device and links to telecom subscriber data. Critics have said this design grants extensive access to handset functions and user information.

Miracco argued that secure smartphone systems must rest on hardware rather than software alone. "True security cannot reside in the operating system alone because the OS can be compromised. It must be anchored in silicon, and the tech giants do facilitate security via the Secure Enclave (Apple), the Titan M2 chip (Google) and Knox Vault (from Samsung). These are separate microcomputers inside your phone with their own processor and memory that store your biometric data and encryption keys. We must ensure apps use these hardware APIs to generate keys that never leave the secure chip, and this data cannot be shared with governments, which was the overreach by the Indian government with the Sanchar Saathi app that has unfettered access to device level APIs," said Miracco.

He said governments and large platforms both seek greater influence over user data. He also said the structure of law and software can change that balance.

"To roll back Big Tech without empowering ;Big Brother,' we must decouple service from surveillance using both laws and source code. The legal lever involves enforcing an 'information Fiduciary' standard, which legally obligates tech companies to act in your best interest by banning them from exploiting your data for profit and effectively neutralising their exploitative business models. The technical lever involves Self-Sovereign Identity (SSI) and Zero-Knowledge Proofs (ZKP), which ensure that while these fiduciaries can verify you are a citizen or over 18, they technically never possess your raw identity data; this means that when a government issues a subpoena or demands mass surveillance, the tech giants have no central database to hand over because the keys remain exclusively on your mobile device in the secure silicon enclave," said Miracco.

Miracco also pointed to recent European regulation that creates new roles in the data economy. He said this model separates the storage and use of personal information.

"While the EU's GDPR focuses on protecting data, the DGA (passed in 2022) focuses on restructuring who holds it - creating a regulated class of 'Data Intermediaries', as neutral third parties that legally cannot use your data for their own profit like selling ads. Instead of you fighting Facebook alone, you join a 'Data Cooperative' or 'Data Union' where the union holds your data in a vault and if a company wants to target you with ads, they must negotiate with your union, which can demand a fee or strict privacy guarantees. Hence, the mobile app never 'owns' the data, but they can license access to it temporarily," said Miracco.

Concerns over precedent

Approov executive George McGregor said India's original decision showed the tension between public safety measures and individual device control.

"Government initiatives to reduce mobile-enabled crime through citizen-facing apps are laudable - public safety is a critical goal. But making such apps mandatory sets a troubling precedent. Which apps are installed on an individual device must always be a personal choice," said McGregor, Vice President, Approov.

McGregor said the origin of an app does not guarantee its security. He said design and verification matter more than the publisher. "Security isn't based on who publishes an app, but from how that app proves its integrity and behaviour. Government apps need to be held to the same standard of provable security and transparency as any other apps. Without strong safeguards like runtime attestation and Zero Trust principles, mandatory apps risk becoming new vectors for abuse, surveillance, or exploitation - even if well-intentioned."

Implementation risks

Michael Bell, Chief Executive of security research firm Suzu Labs, said the Indian requirements around Sanchar Saathi raised multiple technical and governance issues. "The problem with India's approach wasn't the goal of improving mobile security; it was the implementation: closed-source code, root-level access, no independent audit, and no user control. If the goal is mandatory security that doesn't become surveillance, the framework needs to be transparent (open-source, publicly auditable), minimal (only the permissions absolutely necessary), and accountable (independent oversight, clear data access logs).

"The EU's approach with GDPR and the upcoming Cyber Resilience Act comes closest to getting this right: they mandate security outcomes and transparency requirements on vendors rather than installing government software on every device, which keeps the trust relationship between users and their hardware intact," said Bell.

Bell contrasted different regional models for data and device regulation. He said some US initiatives are starting to follow a systems-based path rather than an endpoint focus.

"The honest answer is that perfect security and perfect privacy are fundamentally in tension, and any system that claims otherwise is lying. What we can do is shift the burden: instead of governments monitoring citizens, require device manufacturers and app developers to meet security baselines, mandate transparency about data collection, and give users genuine control. The US hasn't gotten this right at scale, though California's CCPA and some state-level IoT security laws are moving in the right direction by regulating the ecosystem rather than surveilling the endpoint," said Bell.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Rubrik unveils sovereign cloud to keep sensitive data local
Cloudflare buys Human Native to reshape AI data deals
Asimily boosts Cisco ISE with new device microsegmentation
Infobip refreshes leadership team with four promotions
Cyb3r Operations raises $5.4m to tackle cyber risk

Top stories

Anthropic names Irina Ghose to lead India expansion
MSSPs key to securing India’s fast-growing SMB sector
Logitech maps five key trends for the hybrid office
Cloudflare: outdated apps stifle APAC AI investment gains
How AI helps neurodivergent professionals showcase their strengths