India has proposed requiring smartphone makers to share source code with the government and make several software changes as a part of security measures, which has drawn opposition behind the scenes from giants like Apple and Samsung.

Tech companies have countered that the package of 83 security standards, which would also include a requirement to alert the government to major software updates, lacks any global precedent and risks revealing proprietary details, according to four people familiar with the discussions and a Reuters review of confidential government and industry documents.

The plan is part of Prime Minister Narendra Modi’s efforts to boost the security of user data as online fraud and data breaches are on the rise in the world’s second-largest smartphone market with about 750 million phones.

IT Secretary S. Krishnan told Reuters that “any legitimate concerns from the industry will be addressed with an open mind”, adding that “it is too early to read more into it”. A ministry spokesperson said he could not comment further due to ongoing consultations with technology companies on the proposals.

The ongoing tug of war regarding government requirements

Apple (AAPL.O), opens new tab, South Korea’s Samsung (005930.KS), opens new tab, Google (GOOGL.O), opens new tab, China’s Xiaomi (1810.HK), opens new tab and MAIT, the Indian industry group that represents the firms, did not respond to requests for comment.

Indian government requirements have troubled technology companies before. Last month it rescinded an order mandating state-run cybersecurity apps on phones amid concerns over surveillance. But the government last year sidelined the lobbying and required stricter testing for security cameras over fears of Chinese spying.

Xiaomi and Samsung – whose phones use Google’s Android operating system – hold 19% and 15% of the India market respectively and Apple 5%, Counterpoint Research estimates.

One of the most sensitive requirements in the new Indian telecom security assurance requirements is access to the source code – the underlying programming instructions that make the phone work. The documents reveal that it will be analyzed and possibly tested in designated Indian laboratories.

The Indian proposals also require companies to make changes to software to allow pre-installed apps to be uninstalled and prevent apps from using the camera and microphone in the background to “avoid malicious use”.

“The industry has expressed concern that the security requirement has not been mandated by any country at a global level,” an IT ministry document in December detailing meetings held by officials with Apple, Samsung, Google and Xiaomi said.

The safety standards drafted in 2023 are now in the headlines as the government looks to legally enforce them. Sources said the IT ministry and technical officials are scheduled to meet on Tuesday for further discussions.

Companies say source code review, analysis ‘not possible’

Smartphone manufacturers guard their source code closely. Apple rejected China’s requests for the source code between 2014 and 2016, and US law enforcement also tried and failed to obtain it.

India’s proposals for “vulnerability analysis” and “source code review” would require smartphone makers to conduct a “full security assessment”, after which testing labs in India can verify their claims through source code review and analysis.

“This is not possible due to confidentiality and privacy concerns,” MAIT said in a confidential document prepared in response to the government proposal and seen by Reuters. “Major countries in the European Union, North America, Australia, and Africa do not mandate these requirements.”

A source with direct knowledge said MAIT last week asked the ministry to drop the proposal.

The Indian proposals would mandate automatic and periodic malware scanning on phones. Device manufacturers will also have to notify the National Communications Security Center about major software updates and security patches before releasing them to users, and the center will have the authority to test them.

MAIT’s document states that regular malware scanning significantly drains phone batteries and that seeking government approval for software updates is “impractical” as they need to be released immediately.

India also wants a phone’s logs – digital records of its system activity – to be stored on the device for at least 12 months.

“There is not enough space on the device to store 1-year log events,” MAIT said in the document.