The Centre’s plans for a new mobile phone security framework have unsettled smartphone makers and digital rights groups, opening a fresh debate over how far the state should go in regulating consumer technology.

At the centre of the concern is a proposal, first reported by Reuters earlier this month, that could require smartphone manufacturers to make their source code available for official review. While the Ministry of Electronics and Information Technology (MeitY) says consultations are ongoing and has denied seeking access to source code, the issue has emerged as a flashpoint between the government and the global technology industry.

Also Read | Smartphone makers are betting big on AI features. Consumers see them as gimmicks

The unease has been sharpened by India’s telecom security framework, particularly the Indian Telecom Security Assurance Requirements (ITSAR), a set of standards drawn up by the National Centre for Communication Security (NCCS) under the Department of Telecommunications. ITSAR documents covering telecom and mobile equipment, including 5G access gear, state that “source code shall be made available either at the Telecom Security Testing Laboratory (TSTL) premises or at a mutually agreed location for source code review by the designated TSTL".

The unease has been sharpened by India’s telecom security framework, particularly the Indian Telecom Security Assurance Requirements (ITSAR), a set of standards drawn up by the National Centre for Communication Security (NCCS) under the Department of Telecommunications. ITSAR documents covering telecom and mobile equipment, including 5G access gear, state that “source code shall be made available either at the Telecom Security Testing Laboratory (TSTL) premises or at a mutually agreed location for source code review by the designated TSTL".

While these requirements currently apply to specified telecom equipment, similar provisions are being discussed in draft form for smartphones, a shift that would bring consumer devices under a regulatory approach traditionally reserved for network infrastructure.

With 85% of Indian households owning at least one smartphone in 2025, according to the ministry of statistics and programme implementation, the government argues that tighter oversight is needed to protect users from cyber threats and digital fraud. Smartphone makers counter that mandatory access to source code cuts close to their most valuable intellectual property and could ultimately weaken device security.

Mint takes a closer look.

Why has the source code issue surfaced now?

The debate reflects India’s broader effort to expand telecom-style security oversight beyond networks to end-user devices.

ITSAR, which until recently focused on core telecom equipment such as routers and optical devices, is now being extended in draft form to smartphones. This signals a shift in how the government views consumer devices, not merely as personal gadgets, but as part of the country’s critical digital infrastructure.

According to the Reuters report, the government is considering a package of 83 security requirements for smartphones sold in India, aimed at introducing device-level assurances similar to those that already apply to telecom network equipment.

The proposed rules include advance notification of major operating system updates and security patches, mandatory system logging for at least 12 months, periodic malware scans, tighter controls on access to microphones, cameras and sensors, protections against unauthorized rollback to older software versions, and provisions allowing users to uninstall pre-loaded applications.

Taken together, the proposals would place smartphones under a certification and compliance regime closer to that applied to telecom infrastructure. The government’s case is that in a market projected to have more than one billion smartphone users in 2025, according to the Internet and Mobile Association of India, such oversight is necessary to reduce systemic risk in digital payments, banking and government services.

What is source code—and why does it matter?

Source code is the human-readable set of instructions that governs how software functions. In smartphones, it controls everything from system boot-up and memory management to encryption, hardware access and permission controls.

Modern smartphone operating systems run into tens of millions of lines of code. While some components are open source, large portions, particularly those related to security, hardware integration and optimization, are proprietary, determining how biometric data is protected, how updates are authenticated and how vulnerabilities are blocked.

For companies such as Apple, Samsung and Google, this code represents years of engineering effort and billions of dollars in research and development, as well as a key source of competitive advantage.

This is why access to source code differs fundamentally from hardware inspections or black-box security tests, which assess how a device behaves without exposing its internal design. Source code review offers deep visibility into system architecture, including the logic underpinning security defences.

What’s the argument for source code review?

From the government’s perspective, source code review would allow independent verification that devices function as claimed and do not contain hidden vulnerabilities or backdoors that could be exploited at scale.

At present, there is no routine, market-wide third-party certification required before smartphones are sold in India, with security assurance largely resting on manufacturers’ internal testing and platform controls. Source code access is seen as enabling deeper scrutiny of safeguards such as malware detection, sensor controls and update mechanisms.

Why are manufacturers and civil society pushing back?

The primary concern for manufacturers is intellectual property. Smartphone operating systems contain proprietary algorithms and design choices treated as trade secrets. Even limited disclosure to testing laboratories raises fears of leaks, reverse-engineering or misuse, particularly in a global supply chain spanning multiple jurisdictions.

Manufacturers also argue that widening access to sensitive system code could weaken security rather than strengthen it, since modern device security depends on limiting deep system visibility alongside rapid patching.

There are operational concerns too. Smartphones receive frequent updates, including emergency fixes, and any requirement for prior review risks delaying patches and leaving users exposed.

Civil-society groups have raised parallel privacy concerns, warning that deeper state involvement in device software raises questions about surveillance and safeguards.

How have other countries approached this?

Globally, governments have moved to strengthen smartphone and software security, but few have required routine access to proprietary source code for consumer devices.

In the US, smartphone security is governed by a patchwork of laws and standards rather than a single certification regime, including secure-by-design rules, supply-chain requirements and consumer-protection enforcement. There is no blanket mandate for source code disclosure before devices are sold.

The European Union has taken a similar approach, with laws such as the Cyber Resilience Act focusing on secure design, conformity assessments and vulnerability reporting rather than source-code access.

China is often cited as more intrusive, but even there access to source code has been contested. Apple has resisted regulatory pressure to provide iOS source code, with the dispute ending in compromises such as local data storage rather than routine access.

Across major markets, governments have relied on audits and targeted reviews, not sweeping mandates for consumer handset source code.

What happens next?

The government has pushed back against claims that it plans to force companies to hand over source code. The Press Information Bureau has said no such mandate has been proposed, even as groups such as the Internet Freedom Foundation point out that ITSAR documents explicitly mention source code testing.

In a public statement, the IFF said, “However, this denial stands in stark contrast to the existence of detailed technical documents available on a government website…A simple denial via social media cannot erase the existence of policy drafts that are already in the public domain or under active discussion."

Also Read | Inside the race to be India’s top smartphone in 2025

MeitY officials have said consultations are ongoing and that industry feedback will be considered. According to Reuters, MeitY is now leading these discussions rather than the telecom department.

There are precedents for course correction. In late 2025, the government faced backlash over a directive to pre-install the Sanchar Saathi mobile security app on smartphones, and later clarified that the app would not be mandatory.

India accounts for roughly one in five smartphones sold globally, with brands such as Samsung, Xiaomi and Apple competing aggressively for market share. Any move to mandate deep access to device software would therefore have implications far beyond India.

For now, consultations continue. What is clear is that as smartphones become central to economic and social life, decisions about security, privacy and control will shape India’s digital ecosystem for years to come.