India Mandates Undeletable Government App on iPhones
Toggle Dark Mode
The Indian government has ordered Apple and other smartphone manufacturers to preload a state-developed “cyber safety” app on all smartphones before they are sold to customers. The government is also requiring Apple to ensure that the app cannot be removed by users.
In addition to being pre-installed on new devices, the Department of Telecommunications (DoT) is also requiring smartphone makers to push the app to existing smartphones via a software update.
Reuters reports it has seen the November 28 order, which gives smartphone companies a 90-day deadline to ensure the Sanchar Saathi app is pre-installed on new mobile phones before they reach customers. The app must also be protected against user deletion. Any devices already in the supply chain or in customers’ hands must have the app pushed to them via a software update.
The order has not been made public by the government, and was instead sent privately to select device manufacturers. As you might expect, the government is framing it as a way to help users recover their lost or stolen devices. However, since it would allow the government to track all phones, there are privacy implications for smartphone users.
India is one of the world’s largest smartphone markets, with over 1.2 billion subscribers. The Indian government claims the app, which launched in January as an optional download, has helped recover more than 700,000 lost phones.
Mishi Choudhary, a lawyer specializing in technology matters, said India’s move was cause for concern.
“The government effectively removes user consent as a meaningful choice,” said Choudhary, who works on internet advocacy issues.
The new crackdown on privacy extends beyond pre-installed apps. The DoT has reportedly also mandated that end-to-end encrypted messaging apps like WhatsApp link to the device’s unique electronic serial number.
As reported by The Indian Express, the encrypted messaging service currently verifies a user’s identity by sending a one-time password to a user’s mobile number. The DoT’s new regulations will require WhatsApp to begin identifying users by their IMSI (International Mobile Subscriber Identity), a unique identifier hardcoded to a device’s SIM card and not as easily changeable as a phone number.
In India, SIMs cannot be purchased without first showing government-issued identification. This means the government could identify any user of an encrypted messaging app.
We can expect Apple to push back against the new directive, likely trying to convince the government to instead offer the app to users during setup, with wording that would simply encourage them to install it, rather than forcing it upon them.
Unfortunately for anyone concerned with privacy, Apple will have little choice but to comply with the new directive unless it can convince Indian officials to make the app’s installation voluntary. This also wouldn’t be the first time Apple has been forced to comply with government regulations that conflict with its goal of protecting its customers’ privacy.
In 2018, the Chinese government forced Apple to store iCloud data on servers owned by a company with direct ties to Beijing. The Cupertino firm has also been known to remove VPN apps from the Chinese and Russian App Stores when directed to do so.
We can expect that, if required, Apple will bow to Indian government regulators and pre-install the tracking app. Its only other option would be to stop doing business in the country entirely, which is unlikely given that India is both a growing market and an increasingly important manufacturing hub for the firm’s devices.
