India’s Source Code Demand: A Clash Over Digital Sovereignty and Corporate Secrets
India’s government is proposing an unprecedented security overhaul that would force smartphone manufacturers like Apple, Samsung, and Google to share their proprietary source code with officials for review, as part of 83 new standards aimed at protecting its vast user base from data breaches and online fraud.
The sweeping proposal also mandates that companies allow users to uninstall pre-installed apps, block background access to cameras and microphones, and seek government notification for major software updates. Tech giants and their industry group, MAIT, are fiercely opposing the plan, arguing it has no global precedent, risks exposing core intellectual property, and includes technically impractical demands like storing a year’s worth of device logs. This clash represents a pivotal test of digital sovereignty, where a major market’s national security ambitions directly challenge the guarded global operations and secrets of the world’s most powerful technology companies.
India’s Source Code Demand: A Clash Over Digital Sovereignty and Corporate Secrets
A sweeping new proposal from the Indian government has set the stage for a defining battle over digital sovereignty, pitting national security ambitions against the fiercely guarded intellectual property of the world’s tech giants. At the heart of the controversy is a package of 83 security standards that would, among other things, require smartphone manufacturers like Apple and Samsung to share their proprietary source code with Indian authorities for review.
While India’s government frames this as a necessary step to protect its nearly 750 million smartphone users, tech companies and industry groups are pushing back, calling the demands an unprecedented overreach that risks exposing core corporate secrets. This conflict reveals a deeper global tension: as nations increasingly view technology through the lens of national security, the traditional rules of global commerce and intellectual property are being fundamentally challenged.
The Proposal: A Complete Security Overhaul
India’s draft security requirements, known as the Indian Telecom Security Assurance Requirements, aim for a comprehensive security overhaul. While the demand for source code disclosure has drawn the most attention, the complete package reveals the government’s intent for deep oversight.
The table below summarizes the key proposed requirements and the industry’s primary objections:
| Proposed Security Requirement | What It Entails | Industry Objection & Concern |
| Source Code Disclosure | Manufacturers must test and provide OS source code for review by government-designated labs to identify vulnerabilities. | “Not possible due to corporate secrecy and global privacy policies” (MAIT). No global precedent exists. |
| Background Permission Restrictions | Apps cannot access cameras, microphones, or location in the background. Continuous status bar notifications required when active. | Lacks global precedent; no specific test method prescribed by the government. |
| One-Year Log Retention | Devices must store detailed security audit logs (app installs, login attempts) for 12 months on the device. | Consumer phones lack sufficient storage capacity for a full year of such data. |
| Pre-Installed App Removal | All non-essential pre-installed apps bundled with the OS must be deletable by the user. | Many apps are critical system components; their removal could break core device functionality. |
| Government Notification for Updates | Manufacturers must notify a government body before releasing major updates or security patches. | Deemed “impractical.” Security fixes often need to be released urgently; government delays could leave users vulnerable. |
| Periodic Malware Scanning | Phones must perform automatic, periodic scans for malware and harmful applications. | Constant on-device scanning would significantly drain battery life and slow hardware performance. |
The proposal also includes measures for permission review alerts, tamper-detection warnings for “jailbroken” devices, and anti-rollback protection to block installation of older, less secure software versions.
Timeline and the Government’s Stance
The security standards were initially drafted in 2023 but have recently moved into a crucial consultation phase, with the government now considering making them legal requirements. A key meeting between India’s IT ministry and tech executives was scheduled for the week this news broke.
In a swift response to the initial Reuters report, the Indian government issued a denial. The Ministry of Electronics and Information Technology (MeitY) characterized the discussions as part of a “structured process of stakeholder consultations” intended to develop a robust regulatory framework. The ministry’s statement emphasized that the government is “fully committed to working with the industry” and aims to understand “best international practices”.
This pattern of propose, encounter resistance, and clarify or soften is not new for India’s technology policy. In December 2025, the government quickly revoked an order mandating a state-run cyber safety app on phones after public and industry backlash over surveillance concerns. Similarly, a 2022 directive requiring extremely rapid cybersecurity incident reporting saw low compliance and has been scarcely mentioned since.
Why Tech Companies Are Pushing Back
The opposition from companies like Apple, Samsung, Google, and Xiaomi—coordinated through the industry group MAIT—is multifaceted and rooted in both principle and practical business concerns.
- Guarding the “Crown Jewels”: For tech firms, source code represents their most valuable intellectual property—the core innovation that differentiates their products. Handing it over, even to a trusted government lab, creates an existential risk of theft, leaks, or reverse engineering. As MAIT stated in a confidential document, this is “not possible… due to secrecy and privacy”. Apple, in particular, has a historical precedent of refusal, having declined similar requests from China between 2014 and 2016.
- The “No Precedent” Argument: The industry’s unified front emphasizes that no other major economy—including the EU, North America, or Australia—mandates such intrusive access to source code or requires government pre-approval for software updates. Complying would force them to create a unique, India-specific operational model, fracturing their global security and development processes.
- Practical and Technical Hurdles: The industry argues that several requirements are technologically impractical. They claim phones don’t have the storage to retain a full year of logs, that constant malware scanning would cripple battery life, and that there is no foolproof way to detect if a device has been jailbroken. Most critically, they argue that requiring government notification before issuing critical security patches is dangerous, as it could delay fixes for active threats.
A Broader Context: The Global Struggle for Digital Control
India’s proposal is not occurring in a vacuum. It is a prominent example of a global trend where governments are asserting more control over the digital ecosystem within their borders, often citing national security and consumer protection.
- Parallels with Google’s Ecosystem Control: Just months before this proposal surfaced, Google announced its own sweeping policy: starting in 2026, it will require all apps on certified Android devices to be registered by verified developers, even those installed outside the Google Play Store. Google framed this as a security measure to combat fraud and malware. However, critics, including the digital rights group Internet Freedom Foundation (IFF) in India, argue this is an antitrust overreach that stifles the open nature of Android and creates a “gated community” controlled by Google. These simultaneous moves show a landscape where both governments and platform owners are tightening control, albeit for different reasons.
- The Geopolitical Lens: India’s proposal carries a distinct geopolitical undercurrent. The government has previously mandated rigorous testing for security cameras over fears of Chinese spying. An unnamed official, in a previous discussion about pre-installed apps, framed the security concern explicitly: “we want to ensure no foreign nations, including China, are exploiting it”. In this light, the source code demand is as much about auditing for foreign backdoors as it is about general consumer safety.
- The Encryption Precedent: The standoff echoes the long-running “crypto wars” between tech companies and governments worldwide. Apple has famously refused to create backdoors into its encryption for U.S. and UK law enforcement, with its CEO arguing that weakening security for one government weakens it for all. The principle is similar here: exposing source code to one nation, regardless of intent, inherently increases the risk of it falling into the wrong hands globally.
Potential Outcomes and Lasting Implications
The most likely immediate outcome is a protracted negotiation. Given India’s history of backing down or watering down similar aggressive mandates after industry pushback, a compromise solution is probable. This could involve enhanced security audits, vulnerability reporting, or other measures that give the government more assurance without requiring the handover of the full source code.
Regardless of the outcome, this clash signals a new era:
- The End of the “One-Size-Fits-All” Phone: Manufacturers may increasingly have to consider fractured regional standards, designing software and security protocols that satisfy the most stringent national regulators. This increases complexity and cost.
- Digital Sovereignty as a Norm: More countries, especially large economies with digital ambitions, will likely pursue their own versions of technological self-reliance and oversight. India’s proposal, even if softened, may embolden others.
- A Test of Market Power: India is the world’s second-largest smartphone market. Its sheer size gives it substantial leverage. The ultimate resolution will test whether market access is a powerful enough tool to force transnational corporations to relinquish their most guarded secrets. If companies like Apple were to make good on implied threats to withdraw certain services or features—as it has suggested it might do in the UK over encryption—it would create a painful standoff for consumers.
The battle over India’s smartphone security rules is more than a regulatory skirmish. It is a microcosm of the 21st century’s central digital dilemma: in a world where data is power and technology is infrastructure, who ultimately holds the keys—the global corporations that build the systems, or the nations whose citizens use them? The answer, still being negotiated behind closed doors in New Delhi, will resonate in boardrooms and government halls around the world.
You must be logged in to post a comment.