India proposes that smartphone manufacturers be required to share source code with the government and make several changes to software as part of a set of security measures. This has sparked behind-the-scenes resistance from giants such as Apple and Samsung.
Tech companies argue that the package of 83 security standards, which would also include a requirement to notify the government of important software updates, has no global precedent and risks exposing confidential details. This was reported by four well-informed sources.
The plan is part of Prime Minister Narendra Modi's efforts to increase user data security as online fraud and data leaks increase in the world's second-largest smartphone market, with nearly 750 million phones.
India's IT minister told Reuters that "any legitimate concerns of the industry will be addressed with an open mind," adding that it was "premature to look into it in detail." His spokesman added that he could not comment further on the proposals due to ongoing consultations with technology companies.
Global giants Apple, Samsung, Google, and Xiaomi did not respond to Reuters' request for comment.
Software changes too
Counterpoint Research estimates that Xiaomi and Samsung, whose phones use Google's Android operating system, hold 19% and 15% of the Indian market, respectively, while Apple holds 5%.
Among the most sensitive requirements in the new measures to ensure telecommunications security in India is access to source code—the basic programming instructions that ensure the functioning of phones. Documents show that Indian experts would analyze and possibly test this code in designated Indian laboratories.
The Indian proposals also require mobile phone manufacturers to make software changes that allow pre-installed applications to be uninstalled and block applications from using cameras and microphones in the background to "prevent their malicious use."
"The industry (phone manufacturers) has expressed concerns that no country has yet mandated global security requirements," according to a December document from the IT ministry detailing meetings officials held with Apple, Samsung, Google, and Xiaomi.
Analysis is not possible
Smartphone manufacturers guard their source code closely. Apple already rejected China's request for source code between 2014 and 2016, and US law enforcement agencies have also failed to obtain it.
India's proposals for "vulnerability analysis" and "source code inspection" would require smartphone manufacturers to conduct a "full security assessment," after which testing laboratories in India could verify their claims by inspecting and analyzing the source code.
"This is not possible (...) for secrecy and privacy reasons," said the Indian industry group MAIT, which represents mobile phone manufacturers in India, in a confidential document prepared in response to the government proposal, which was accessed by Reuters. "Major countries in the EU, North America, Australia, and Africa do not impose such requirements."
A source with direct knowledge of the matter said MAIT asked the ministry last week to drop the proposal.
The Indian proposals would require automatic and regular scanning of phones for malware. Device manufacturers would also have to inform India's National Centre for Communications Security about major software updates and security "patches" before releasing them to users, and the centre would have the right to test them.
The MAIT document states that regular malware scanning significantly drains the phone's battery and that obtaining government approval for software updates is "impractical" because they would have to be released immediately.
India also wants phone logs—digital records of its system activity—to be stored on the device for at least 12 months, but according to MAIT, this is not possible due to a lack of capacity.
(reuters, im)