India’s Department of Telecommunications (DoT) has issued a directive mandating that all major smartphone manufacturers preload the state-owned Sanchar Saathi cybersecurity app on new devices sold in the country, with a provision to ensure that users are unable to delete it. This move impacts India’s $48 billion mobile market and affects over 1.2 billion subscribers. The order, issued on November 28, gives companies including Apple, Samsung, Vivo, Oppo, and Xiaomi 90 days to comply, with over-the-air updates required for phones already in the supply chain.
Notably, the order was shared privately with companies and not made publicly available. This lack of transparency raises serious concerns about accountability and public scrutiny. Coupled with existing government exemptions under the Digital Personal Data Protection Act (DPDPA), which shield state-run applications from stringent privacy regulations, this mandate becomes even more suspect. The centralised tracking and extensive data collection enabled by the app, without clear public oversight or clarity on data use, creates the foundation for misuse and mass surveillance.
The opacity surrounding the app’s operation, since its source code is not open, and the absence of a public, consultative process amplify fears of unchecked government access to device data. Such a secretive approach undermines user trust while increasing the risk that the mandate could be exploited beyond its stated security purposes, eroding fundamental privacy rights.
Moreover, expert cybercriminals can bypass the app through phone rooting or IMEI masking, limiting its effectiveness.
Launched earlier in 2025, Sanchar Saathi is designed to enhance telecom security by verifying IMEI authenticity to prevent the use of lost or stolen devices, reporting suspicious calls and messages, and enabling users to block stolen phones. The app, which has over 11.4 million registrations, has reportedly helped recover over 600,000 lost or stolen phones and disabled nearly 3 million fraudulent SIM connections. Authorities argue that mandatory preloading will boost adoption and enhance fraud prevention without relying on voluntary installs.
The fundamental question is whether such an app or additional regulations are required to tackle cyber threats. India already has robust laws and systems for combating cyber fraud, including the Information Technology Act, TRAI’s Central Equipment Identity Register (CEIR) for IMEI blacklisting, SIM KYC requirements, and provisions under the Bharatiya Nyaya Sanhita addressing fraud and theft. Enforcement challenges, low public awareness, and jurisdictional barriers hinder effective implementation, which is the key issue to be solved.
Rather than relying on mandatory pre-installed apps, the government should focus on strengthening enforcement capacity by investing in cyber forensic labs, training law enforcement and prosecutors, forming interstate cybercrime units, and launching public awareness campaigns with multilingual complaint portals. This approach can help curb cyber crimes sustainably and improve safety in telecom ecosystems in India.