India Wages High-Stakes Battle with Apple over iOS Source Code

The Indian government’s attempts to regulate big tech in the name of security have continued to reach strange new heights over the past few months. In December, India mandated an undeletable government app be installed on all iPhones in the country, and while it later backed down after Apple held its ground, that hasn’t stopped it from insisting on forcing Apple to provide location tracking on Indian citizens.

While Apple is also naturally pushing back hard on that requirement, which goes beyond the rules of even less altruistic regimes like China and Russia, the Indian government isn’t stopping there. Among a new list of 83 security requirements under the Indian Telecom Security Assurance Requirements (ITSAR) shared by Reuters is the insistence that Apple share its iOS source code with government regulators. I’ll take “things that will never” happen for $100, Alex.

This Limited-Time Microsoft Office Deal Gets You Lifetime Access for Just $39

Sick and tired of subscriptions? Get a lifetime license for Microsoft Office Home and Business 2021 at a great price!

Marking Apple’s Homework

India’s logic for this requirement stems from its desire to combat what has become a pandemic of fraud and data breaches in the world’s second-largest smartphone market. With nearly 750 million phones in the wild, regulators are trying to cook up any way they can to stem the tide.

Indian regulators believe that by examining the source code in their own government labs they can identify vulnerabilities that could be exploited by attackers. They effectively want to mark Apple’s homework, implying that their experts can somehow ferret out flaws that Apple’s own world-class engineers have missed.

Apple will undoubtedly fight this latest requirement even more vociferously than it did with the mandatory Sanchar Saathi app, since it goes far beyond user privacy and strikes at the heart of Apple’s most precious trade secrets.

Industry Resistance

The iPhone maker also has plenty of allies in this fight, as the Indian government’s requirements are targeting all smartphone platforms, which includes Google, Samsung, and Xiaomi, each of whom hold a far greater share of the Indian smartphone market than Apple’s relatively paltry 5%.

The tech giants are being represented by Industry group MAIT, which has already flatly told the Indian government that this is “not possible,” due to corporate secrecy and global privacy policies.

In a confidential document drafted in response to the government proposal, and seen by Reuters, MAIT adds that no other government on the planet is pushing for these types of regulations:

While China did try this in 2014 and 2016, Apple declined and Beijing quietly dropped the matter. MAIT has asked the ministry to do likewise, according to insiders, but this is also just the largest piece of the iceberg.

The ‘Big Brother’ Requirements

Beyond the source code, the draft regulations would fundamentally change how an iPhone operates in India:

• Background Lockout: Apps would be prohibited from running anything in the background while a phone is locked — even with user authorization.
• Constant Notifications: Apps running in the background would be forced to show continuous status bar notifications, likely accompanied by frequent “review permission” pop-ups.
• 12-Month Security Logs: Devices would be required to keep a one-year audit log of all app installations and login attempts.
• Mandatory Malware Scanning: Apple and Google would have to build automated, frequent malware scanning directly into the OS.
• Pre-Release Approval: Apple would be required to notify the government before releasing any major update or security patch, allowing regulators to “test” them first.
• Total Bloatware Removal: Manufacturers would be forced to allow users to uninstall any pre-installed application, a move that could target core system apps Apple currently considers essential to the iOS experience. This is one of the few requirements that isn’t actually unique, as the EU has pushed Apple in a similar direction; however, the scope here could go much further.
  

MAIT insists that most smartphones don’t have sufficient storage to keep a year of comprehensive logs, and that constant on-device scanning would hamper performance and needlessly drain the battery. Furthermore, requiring government review of security patches could delay critical fixes, ironically leaving users vulnerable to “zero-day” exploits while they wait for a government stamp of approval.

Damage Control or Denial?

India’s IT Secretary S. Krishnan attempted to downplay the fallout, telling Reuters that the rules are merely a “preliminary draft” and that the government would address industry concerns with an “open mind.” He added that it’s “premature to read more into it” at this stage.

The government went even further today, with its Press Information Bureau issuing an official “Fact Check” calling the report “false” and denying that a source code mandate was ever on the table. However, this feels like classic political damage control, since the ministry hasn’t offered any explanation for why the requirement was explicitly documented in the 83-point draft shared with industry leaders.

We won’t have to wait long to see which side is telling the truth. IT Ministry officials and tech executives are expected to have a high-level meeting tomorrow, Tuesday, January 13, during which Apple and its peers will undoubtedly draw a hard line in the sand.

Ultimately, it’s hard to believe the Indian government actually expects Apple to acquiesce. The more likely explanation is a “shoot for the moon” negotiation tactic. Regulators are throwing everything at the wall, hoping that invasive tracking and malware-scanning rules will seem reasonable if they “generously” back down on the source code requirement. We don’t imagine Apple will fall for that one.