India mandates preinstallation of state cybersecurity app on all mobile phones

In a significant move aimed at strengthening national cybersecurity and curbing the rise in online fraud, the Government of India has issued a mandatory directive requiring all smartphone manufacturers to preinstall the state-developed Sanchar Saathi application on every new mobile device sold in the country. The directive, issued by the Department of Telecommunications (DoT), instructs manufacturers to ensure that the application cannot be removed by users once installed, according to a Reuters report published on Monday.

The government order, dated 28 November 2025, gives leading smartphone companies such as Apple, Samsung, Xiaomi, OnePlus, Vivo and Oppo a period of 90 days to implement the change. Devices that are already manufactured or in transit must also receive the application through an over-the-air (OTA) update, making the requirement applicable to both new stock and existing inventory.

Purpose of the mandate

The Sanchar Saathi application was introduced by the Indian government in January 2025 as part of a nationwide initiative to combat the increasing cases of cybercrime, phone theft, SIM fraud and misuse of spoofed device identities. The platform integrates databases that authenticate the International Mobile Equipment Identity (IMEI), prevent the use of cloned or fake mobile devices, and help users take action if their phones are lost or stolen.

Government officials highlight that the platform has already demonstrated major benefits. As per the data shared publicly, the system has helped recover more than 700,000 lost or stolen devices and has blocked more than 30 million fraudulent or cloned mobile connections. Authorities say these numbers reflect the scale of the cyber fraud problem and justify the decision to make the app mandatory.

Criticism and concerns

While the government views this directive as an essential step toward protecting citizens, the decision has triggered serious concerns among privacy advocates, digital rights organisations and technology experts. Critics argue that forcing users to keep a nonremovable application on their devices may be inconsistent with privacy principles and user autonomy. Some experts believe the mandate could set a precedent for expanding the role of state-controlled digital tools, raising questions about surveillance and data access.

An internet rights specialist told Reuters that the order leaves very little room for user choice, and that mandating a permanent state app on every phone raises several red flags about digital freedom and transparency.

Impact on smartphone companies

The directive also poses a challenge to global smartphone brands that have strict policies against non-user-removable government applications. Apple, in particular, is known for resisting preinstallation of apps that do not align with its ecosystem guidelines. Industry observers expect that Apple may attempt negotiations with the government in order to find a solution that does not compromise its software integrity and privacy stance. Android manufacturers may comply more easily but will still have to modify their existing builds and update pipelines.

Market analysts note that the requirement could have a substantial operational and technical impact due to the scale of India’s mobile market. With more than 1.2 billion telecom subscribers, India is one of the largest smartphone markets in the world. As a result, the directive will affect tens of millions of devices shipped in 2026 and beyond.

Political and public reactions

The move has already sparked a wider debate on social media and among political groups. Supporters argue that the mandate is a necessary step in the fight against phishing, online scams, identity theft and telecom-related fraud. Others caution that mandatory digital tools controlled by the government require stronger safeguards and transparency mechanisms to prevent misuse.

Some technology experts also warn that if the application collects or processes sensitive personal data, it must operate under strong legal oversight, especially as India continues to implement the Digital Personal Data Protection Act.

What comes next

Smartphone manufacturers are expected to begin technical discussions with the DoT in the coming weeks in order to understand compliance requirements, integration processes and privacy expectations. The enforcement of the directive will begin after the 90 day implementation window, unless the government issues a clarification or an extension.

The rollout will likely influence future debates on digital regulation, cybersecurity governance and the balance between state control and user freedoms in India’s rapidly evolving digital ecosystem.

Stay with us for updates on: DPDP Consultants Newsletter