India mandates state-run cyber safety app for all smartphones

India has mandated that all new smartphones be preloaded with a state-run cybersecurity app, raising concerns about privacy and surveillance.

The order, passed last week but made public on Monday, gives smartphone manufacturers 90 days to ensure that all new devices include the government’s Sanchar Saathi app, which “cannot disable or limit its functionality.”

It said it was needed to help citizens verify the authenticity of their devices and report suspected misuse of telecommunications resources.

The move, one of the world’s largest phone markets with more than 1.2 billion mobile users, was criticized by cyber experts as a violation of citizens’ privacy rights.

Subject to the app’s privacy policy, you can make and manage calls, send messages, access call and message history, photos and files, as well as your phone’s camera.

“Put simply, this would turn every smartphone sold in India into a container for state-mandated software that users cannot meaningfully opt out, control, or remove,” the Internet Freedom Foundation, an advocacy group, said in a statement.

Amid growing criticism, India’s Communications Minister Jyotiradtiya Scindia said that mobile phone users will have the option to delete the app if they do not want to use it.

“This is a completely voluntary and democratic system. Users can activate the app and take advantage of its benefits, and if they don’t want it, they can easily delete it from their phone at any time,” he wrote to X.

However, the Minister did not make clear how this would be done if the app’s functionality could not be disabled or restricted.

The Sanchar Saathi app, launched in January, allows users to check a device’s IMEI, report a lost or stolen phone, and report suspected fraudulent communications.

IMEI (International Mobile Equipment Identity) is a unique 15-digit code that identifies and authenticates mobile devices on cellular networks. The code is basically your phone’s serial number.

India’s Ministry of Telecommunications said in a statement that mobile handsets with duplicate or spoofed IMEI numbers pose a “serious risk” to telecom cybersecurity.

“India has a large market for used mobile devices. We have also observed instances of stolen or blacklisted devices being resold,” he said, adding, “This encourages crime and causes financial losses to buyers.”

The new rules state that pre-installed apps must be “easily visible and accessible” when users set up their devices, and their functionality cannot be disabled or restricted.

Smartphone manufacturers should also “make efforts” to provide apps through software updates for devices that have left the factory but have not yet been sold, the statement said.

All companies were asked to provide a compliance report for their orders within 120 days.

The government said the move would strengthen communications cybersecurity. The app has helped recover more than 700,000 lost phones, including 50,000 in October alone, according to a Reuters report citing official figures.

But experts say the app’s broad permissions raise concerns about how much data it can collect and broaden the scope of its surveillance.

Technology analyst Prasanto K Roy said the bigger concern was how much access to apps would eventually be allowed on phones.

“We don’t know exactly what it’s doing, but what we do know is that it’s asking for a huge amount of permissions – potentially accessing almost everything from flashlights to cameras. That in itself is worrying,” he told the BBC.

On the Google Play Store, the app says it doesn’t collect or share user data. The BBC referred questions about the app and privacy issues related to it to the Department of Communications.

Roy added that compliance will be difficult because the order goes against the policies of most phone manufacturers, including Apple.

“Most companies prohibit installing government or third-party apps on smartphones before selling them,” he says.

While India’s smartphone market is dominated by Android, Apple’s iOS accounted for about 4.5% of the 735 million smartphones in the country by mid-2025, according to Counterpoint Research.

Apple has not commented publicly, but Reuters reported that Apple would not follow suit and would “pass its concerns to Delhi.”

India is not the only country that has tightened its regulations on device verification.

Last August, Russia raised similar privacy and surveillance concerns when it ordered the state-backed MAX Messenger app to be pre-installed on all phones and tablets sold domestically.

Follow BBC News India Instagram, youtube, twitter and Facebook.