Smartphone Makers Off the Hook in India as Security App Requirement is Abandoned

Just days after receiving a secret order requiring them to pre-install an anti-theft security app on all new mobile devices sold in India, smartphone makers have been told publicly that this plan has been abandoned for now.

The Modi government publicly admitted to the order to smartphone makers after it was leaked to major media outlets, and has formally reversed course on the security app plan. It took only several days of outcry about potential snooping and spying to cause the change of plans, though the government insists the app was not to be activated by default and that India’s smartphone users would have been able to delete it.

India’s secret order met with resistance from smartphone makers

If this story seems familiar, it’s because something very similar happened much earlier this year in the UK. In that case, the UK government invoked its Investigatory Powers Act 2016 to issue a secret order to Apple to insert a law enforcement backdoor into the Advanced Data Protection (ADP) system. Under this law, smartphone makers could face charges for telling the public and their customers about such an order. The story had to be leaked to the press by anonymous sources, and Apple quietly pulled ADP from the UK market.

Apple was reportedly again planning to not comply with the Indian government’s order to preload the security app, for the same central reason: the security vulnerabilities it would likely introduce. This is where the leaked order conflicts with the government’s later statements, as the order appeared to make it mandatory for the app to remain on the device and not have its core functions disabled. However, Apple does appear to be complying with Russia’s recent order to smartphone makers install the state-backed “MAX” messaging app on its phones sold in the region, even as it has seen FaceTime blocked in the country due to claims that it is being used for fraud and support of terrorism.

It’s true that the concerns are somewhat different, as MAX can legally be deleted and have its functions blocked (though by design smartphone makers must deeply integrate it at a root level). In India there are legitimate concerns about government snooping, given the ruling Modi government’s alleged use of the Pegasus spyware since at least 2017, but there are also at least equal concerns about lower-level corruption by officials with privileged access; the well-documented abuse of the Aadhar ID system demonstrates this possibility. The Indian security app asks all users for permission to access stored files, photos and the camera; additionally on Android devices it requires permission to make and manage phone calls.

Security app serves some legitimate purposes, but less invasive alternatives are available

India’s security app has been available in app stores there for some time now and has about 10 million voluntary adoptions to date. This is due to performing some legitimate functions, as advertised; the app has features to combat fraud, scams and phone theft, all rampant problems in the country that it was nominally designed to address. But, considering that somewhere over half of the country’s 1.4 billion population is on smartphones, seeing the otherwise impressive 10 million download number indicates that the vast majority of the country is not interested in having it forced upon them.

There are numerous ways to address these functions without invasive orders to smartphone makers, however. For example, the EU’s current rules focus on requiring vendors to meet certain security baselines rather than opening end user phones up to government inspection. And even if such an app must be installed for some reason, there is no need for the deeper level of hardware security (such as the Titan M2 and Knox Vault chips that handle everyday personal identification functions) to be exposed to compromise in this way. Any order to smartphone makers or tech manufacturers to amass a central information database about users is very likely meant for ease of snooping.