India’s Sanchar Saathi App Mandate Sparks Major Privacy Concerns

1

The Sanchar Saathi app mandate has ignited a national debate over security, privacy, and user control in India’s smartphone market. The government now requires the app on all new devices.

Under the Sanchar Saathi app mandate, manufacturers have 90 days to pre-install the app, display it during setup, and ensure critical features remain active. Compliance reports are due in 120 days.

Supporters cite device verification and theft reporting; critics say the Sanchar Saathi app mandate expands surveillance risks and deepens India smartphone privacy concerns.

Sanchar Saathi app mandate: What You Need to Know

• All new smartphones sold in India must include the app within 90 days, surface it during setup, and keep its core functions enabled.

Sanchar Saathi app mandate

India ordered smartphone makers to pre-install a government cybersecurity app on all new devices within 90 days. The Sanchar Saathi app mandate requires the app to appear during initial setup, while core functions cannot be disabled or restricted by users.

Manufacturers must submit compliance reports within 120 days. The Sanchar Saathi app mandate covers all devices manufactured or imported for sale in India, a market with over 1.2 billion mobile subscribers.

What the order requires

The Sanchar Saathi app mandate obligates manufacturers to make a good-faith effort to deliver the app via software updates for devices already produced but unsold. The Department of Telecommunications (DoT) points to duplicate or spoofed IMEIs and the resale of blacklisted phones as systemic telecom risks.

Officials cite more than 700,000 lost phones traced through the platform, 50,000 in October, as evidence that the Sanchar Saathi app mandate can yield public benefits.

Privacy concerns and permissions

Digital rights groups warn the Sanchar Saathi app mandate amplifies India smartphone privacy concerns. Mandatory pre-installation with expansive permissions could conflict with user autonomy.

The app’s policy lists capabilities to make and manage calls, send messages, access logs, photos and files, and use the camera.

On Google Play, the app states it does not collect or share user data. For mobile hardening guidance, see CISA’s mobile security best practices and recent Apple security patches.

• Call and message management enables verification and reporting, while creating oversight risks if misused.
• Access to logs, photos, and files aids tracing but elevates data governance and security requirements.
• Camera and device identifiers help counter spoofed IMEIs, demanding strong safeguards and auditability.

Government response

Following criticism, Communications Minister Jyotiraditya Scindia said users would be able to delete the app. The Sanchar Saathi app mandate, however, requires that core functionalities not be disabled or restricted, prompting questions about how deletion will work in practice.

Industry pushback and Apple

Compliance will test global policies. Many vendors restrict pre-installing third-party or government apps outside specific markets.

Reuters reported that Apple has not publicly commented but does not intend to comply and will communicate its objections to authorities, intensifying the Apple India compliance order dilemma.

While Android dominates, iOS remains influential, and the Sanchar Saathi app mandate pressures cross-border supply chains and software governance.

How the app works

Launched in January, the app lets users check IMEIs, report lost or stolen devices, and flag suspected fraud communications. An IMEI is a 15-digit identifier used to authenticate devices on cellular networks.

Supporters argue the Sanchar Saathi app mandate could curtail the circulation of blacklisted phones. Critics counter that the privacy trade-offs are excessive. Related concerns also echo across sectors, including rising API attacks on India’s banking sector.

Implications for users, industry and oversight

The Sanchar Saathi app mandate could help consumers recover stolen devices, verify handsets, and report fraud quickly, reducing resale of blacklisted phones. At scale, it may help operators tackle spoofed IMEIs and strengthen telecom integrity.

However, the Sanchar Saathi app mandate introduces structural risks. Expansive permissions require strict minimization, independent audits, and transparent deletion mechanics.

Ambiguity around uninstalling the app, despite non-disabling requirements, sharpens India’s smartphone privacy concerns and increases the need for clear governance.

For manufacturers, the Sanchar Saathi app mandate adds engineering and compliance complexity across jurisdictions. Divergent mandates, including data-access rules, can complicate firmware pipelines, validation, and app store policies.

Organizations should monitor updates alongside broader trends, such as zero-trust adoption and endpoint hardening, to align controls with evolving regulatory frameworks.

For broader context on exploitation risks and device hardening, see coverage of Android vulnerabilities and phishing defense.

Conclusion

The Sanchar Saathi app mandate seeks to curb device fraud and harden telecom infrastructure for more than a billion users. Its outcomes will depend on clear deletion options and verifiable data controls.

To balance crime prevention with privacy, the Sanchar Saathi app mandate must enforce minimal data access, publish audit results, and enable independent oversight. Transparent governance can reduce friction without weakening security goals.

As vendors assess timelines, the Sanchar Saathi app mandate will require sustained dialogue between government, industry, and civil society to reconcile enforcement, privacy rights, and technical feasibility.

Questions Worth Answering

What is the Sanchar Saathi app?

• It is a government tool for IMEI verification, reporting lost or stolen phones, and flagging suspected fraud communications across telecom networks.

Is the app mandatory on new smartphones?

Yes. The Sanchar Saathi app mandate requires pre-installation within 90 days, visibility during setup, and non-disabling of core functions.

Can users delete the app?

• The minister said deletion will be possible, but the Sanchar Saathi app mandate’s non-disabling requirement, leaves implementation details unclear.

Why are privacy advocates concerned?

• Broad permissions for calls, messages, logs, files, and camera heighten privacy, governance, and surveillance risks if safeguards are weak.

How does the app deter fraud?

• By verifying IMEIs, enabling device tracing, and supporting reports of suspected misuse, discouraging resale of blacklisted devices.

Will Apple comply?

• Reuters reported Apple does not intend to comply and plans to convey concerns to the government, highlighting the Apple India compliance order issue.

Where can users find hardening guidance?

• See CISA’s mobile security guidance and Apple’s latest security fixes.

About India’s Department of Telecommunications

The Department of Telecommunications (DoT) issued the Sanchar Saathi app mandate for all new smartphones sold in India. The order targets telecom security and device integrity.

The DoT cites spoofed and duplicate IMEIs and the resale of blacklisted phones as threats to networks and consumers. It reports substantial device recoveries through the platform.

Under the Sanchar Saathi app mandate, the app must be visible during setup, core functions cannot be disabled, and manufacturers must submit compliance reports.

About Jyotiraditya Scindia

Jyotiraditya Scindia is India’s Minister of Communications. He addressed public concerns following the Sanchar Saathi app mandate announcement.

He indicated users would be able to delete the app, describing the approach as voluntary. Implementation details remain pending.

His remarks raised questions about how deletion will coexist with the Sanchar Saathi app mandate’s non-disabling requirement for critical functionalities.