India Orders Phone Makers to Preload Non-Removable State Cybersecurity App on All Devices

India’s Telecom Ministry has directed major smartphone manufacturers to pre-install a non-removable government cybersecurity app on all new mobile phones sold in the country, triggering strong pushback from digital rights groups and potentially global device makers.

The confidential order, issued on November 28 to companies including Apple, Samsung, Xiaomi, Oppo and Vivo, gives manufacturers 90 days to ensure the Sanchar Saathi app is built into every new handset. Users will not be able to delete or disable the app. Devices already produced or currently in the supply chain must also receive the app through software updates, the notice states.

According to the government, the mandate is aimed at tackling cybercrime, preventing the misuse of stolen phones and curbing fraudulent activities linked to altered or duplicate IMEI numbers. The directive has been issued under the Telecommunication (Telecom Cyber Security) Rules, 2024, which were amended in October 2025. These rules empower the Centre to seek support from device makers on cases involving tampered identifiers and require full cooperation from all manufacturers and importers.

The order cites Rule 5, which allows the government to set up digital systems to mitigate cyber threats. Officials say the Sanchar Saathi platform enables users to verify device authenticity, report fraudulent activity and help authorities identify stolen or compromised phones. With this move, India joins countries such as Russia that require mandatory preloaded government apps as part of national cybersecurity protocols.

However, the requirement has raised alarm among privacy advocates and technology companies. The order states that the app must be visible to users as soon as the device is set up, and its functions “must not be disabled or restricted.” Manufacturers must also submit compliance reports within 120 days. Any failure to comply can attract action under the Telecommunications Act, 2023, the Cyber Security Rules, and other applicable laws. The directive, signed by Pranay Diwakar, ADG (AI & DIU), comes into effect immediately and will remain in force unless amended or withdrawn.

Apple, which previously resisted the installation of a government anti-spam app due to privacy concerns, is expected to oppose the new requirement as well, potentially setting the stage for renewed friction with Indian regulators.

The Internet Freedom Foundation (IFF) issued a strongly worded statement condemning the order, calling it “a deeply worrying expansion of executive control over personal digital devices.” The group argues that forcing a permanent, undeletable app effectively turns every smartphone into a conduit for state-mandated software that users cannot avoid.

IFF warned that such an app would likely need system-level privileges, similar to unremovable carrier or manufacturer apps—raising the risk that it could access sensitive data. Referring to the Supreme Court’s landmark K.S. Puttaswamy ruling on privacy, the organisation said the directive fails the proportionality test required for any action that infringes on fundamental rights.

According to IFF, the government already offers less intrusive verification tools—such as the Sanchar Saathi website, SMS-based KYM checks and USSD codes—making a mandatory permanent app unnecessary. The group also cautioned against “function creep,” noting that the order uses broad terms like acts that “endanger telecom cyber security.” This ambiguity, it says, could allow the app’s scope to be expanded over time without public scrutiny.

“Today the app may simply verify IMEIs. Tomorrow it could be updated to detect banned apps, monitor VPN use, scan SMS logs or track SIM activity in the name of security,” IFF warned. The organisation has filed a Right to Information request seeking the full order and the government’s reasoning.

“We will fight this direction till it is rescinded,” IFF said.