The Centre’s stated objective is to counter what it calls the “serious endangerment” of telecom cyber security arising from duplicate or spoofed International Mobile Equipment Identity (IMEI) numbers, which are used to execute financial scams and abuse telecom networks.
Published Dec 01, 2025 | 8:53 PM ⚊ Updated Dec 01, 2025 | 9:26 PM
Preloaded apps tend to have heightened permissions within the operating system compared to a regular app downloaded by the user through an app store.
Synopsis: The Union Government has reportedly directed smartphone makers to preload all new devices with a DoT-run security app, with the stated aim of helping users block stolen phones and curb cyber fraud linked to duplicate IMEI numbers. The privately-issued directive, which sets a 90-day compliance window, also includes a provision preventing users from deleting the app, raising concerns about privacy, intrusive access and the lack of user choice. Experts have further questioned the need for such an app to tackle theft and IMEI spoofing, noting that better industry solutions already exist.
The Ministry of Communications has privately directed smartphone manufacturers to preload all new devices with a government-run security application, Reuters reported, citing an official order. The directive, issued on 28 November, reportedly gives companies 90 days to comply.
The application in question, Sanchar Saathi, developed and operated by the Department of Telecommunications (DoT), is described as “a citizen-centric initiative, to empower mobile subscribers, strengthen their security and increase awareness about citizen-centric initiatives of the Government”. The platform primarily allows users to block stolen phones and report phishing calls and messages.
Sanchar Saathi allows users to block stolen phones and report phishing calls and messages.
The Centre’s stated objective is to counter what it calls the “serious endangerment” of telecom cyber security arising from duplicate or spoofed International Mobile Equipment Identity (IMEI) numbers, which are used to execute financial scams and abuse telecom networks.
However, the directive has triggered concerns over user privacy and choice, since the directive reportedly mandates the app be preloaded, with a provision mandating that it cannot be removed.
Pranesh Prakash, an independent tech law and policy research advisor, questioned the motive behind the move, noting that the telecom industry has long been working on mechanisms to combat IMEI-related fraud.
“My question is, the GSM Association [GSMA] has been working on other mechanisms for dealing with stolen phones, through tracking and switching off IMEI numbers. So what purpose does this particular app serve? What does it do that isn’t already being explored by the industry to address exactly the same problem the government says it wants to tackle? What is the need for this?” he told South First.
Neither the MoC nor the DoT have issued a public comment on the reported directive.
Expressing scepticism that the app in question would help curb mobile thefts, Prakash further pointed to the lack of user choice.
“Even if it is needed—and I’m not convinced it is—let’s assume, for the sake of argument, that this is the only way the government can prevent stolen phones from being resold and used again. Even then, it should be up to each individual whether they want this app on their phone. I don’t see why it should be something users cannot delete, or why such a condition is required,” he said.
He pointed to similar cases in the past, particularly in the United States involving smartphone giant Apple and the Federal Bureau of Investigation (FBI).
Apple, which promotes itself as a privacy first company, has long resisted attempts by various governments across the world to get it to install a “backdoor” in its operating systems for easy access by law enforcement agencies.
“In the San Bernardino case, Apple essentially argued that requiring it to create a particular image of its operating system [as was being asked by the FBI] amounted to compelled speech. Now, forcibly requiring companies to include a particular app doesn’t seem very different,” he explained.
“Of course, no legal analysis has played out here yet, and in India, as we saw just a few days ago, compelled speech seems to be perfectly acceptable to the Supreme Court, even though in earlier cases compelled speech has been struck down as a violation of the Constitution under Article 19(1)(a). But in India, these things depend far more on the particular judge than on actual legal doctrine.”
Preloaded apps on both Android and iOS are usually not user deletable. Furthermore, they tend to have heightened permissions within the operating system compared to a regular app downloaded by the user through an app store.
Crucially, it is possible for a preloaded app to have enough permissions to control every aspect of the device and monitor or share the contents of the device, even without the user’s permission or awareness.
While Apple is expected to fight the order, other smartphone makers are more likely to comply with it.
Unlike Apple, which develops its own closed-source operating system, almost all other smartphone makers base their operating systems on Google’s Android, which is partly open source and is often customised to their needs.
More often than not, companies such as Samsung, Oppo, Xiaomi and even Google tend to offer several third party apps pre-installed on their devices. Most of these are often non-user removable.
Notably, the Centre’s directive follows the DoT clarification issued on 27 November, confirming that the Telecommunication Cybersecurity (TCS) Rules, 2024 are now in force and enforceable.
Among other provisions, the rules introduce a new category of regulated entities, the Telecom Identifier User Entity (TIUE).
Any business that uses mobile numbers or other telecom identifiers to verify users or deliver services may qualify as a TIUE. The draft defines TIUEs as entities other than licensed or authorised telecom operators that use telecommunication identifiers for user verification or service delivery.
A plain reading of this definition may include food delivery platforms such as Swiggy or Zomato, messaging services like WhatsApp, and even retail stores that send customers digital receipts via text message.
Entities classified as TIUEs must now meet several compliance obligations, including maintaining detailed records of telecom identifier usage, sharing relevant data with the government, and suspending specific identifiers when directed by authorities.
(Edited by Dese Gowda)
