ITSAR for Smartphones: India’s Push for Device-Level Cyber Sovereignty

Why in News ?

The Union Government is considering legally enforcing the Indian Telecom Security Assurance Requirements (ITSAR) for smartphones, introducing 83 mandatory security standards covering source code disclosure, software controls, logging requirements, and user-permission restrictions.

The proposal has triggered strong resistance from major global smartphone manufacturers such as Apple, Samsung, Google, and Xiaomi, who argue that several provisions lack global precedent, threaten proprietary technologies, and may undermine innovation and ease of doing business in India.

Background: India’s Expanding Digital Security Concerns

India is the world’s second-largest smartphone market, with nearly 750 million users, making device-level security a matter of national importance.

Contextual Drivers

• Sharp rise in:
  • Online fraud
  • Cybercrime
  • Data breaches and spyware concerns
• Increasing reliance on smartphones for:
  • Digital payments
  • Governance services
  • Critical infrastructure access

The proposed ITSAR framework aligns with the government’s broader emphasis on digital sovereignty, cyber resilience, and national security, similar to earlier interventions such as:

• Mandatory cyber safety applications (later rolled back)
• Stringent security norms for surveillance cameras citing national security risks

What is ITSAR ?

The Indian Telecom Security Assurance Requirements (ITSAR) are a set of security compliance standards framed under the telecom security ecosystem to ensure that devices operating on Indian networks meet robust cybersecurity and data protection benchmarks.

Under the current proposal, ITSAR would be legally enforced for smartphones, making compliance mandatory for manufacturers selling devices in India.

Key Features of the Proposed Smartphone Security Standards

1. Source Code Disclosure

• Manufacturers must submit proprietary source code for inspection by government-designated laboratories.
• Objective:
  • Detect hidden backdoors
  • Identify systemic vulnerabilities

Industry Response:

• The Manufacturers’ Association for Information Technology (MAIT) has termed it “not possible”
• No similar requirement exists in:
  • EU
  • North America
  • Australia
  • Africa

2. Background Permission Restrictions

• Apps cannot access:
  • Camera
  • Microphone
  • Location
• while running in the background
• Mandatory continuous status-bar alerts when sensitive permissions are active

Concerns:

• No global testing standards
• Risk of over-regulation affecting app functionality

3. Periodic Permission Review Alerts

• Devices must periodically prompt users to review app permissions
• Industry suggests limiting alerts to high-risk permissions to avoid user fatigue and alert desensitisation

4. One-Year Log Retention Requirement

• Smartphones must store security audit logs (logins, app installations, system events) for 12 months

Industry Concern:

• Consumer devices may lack sufficient storage
• Privacy implications of long-term user activity logs

5. Mandatory Periodic Malware Scanning

• Automatic malware scans to be conducted at regular intervals

Concerns:

• Battery drain
• Slower device performance
• User experience degradation

6. Removal of Pre-Installed Applications

• All non-essential pre-installed apps must be removable by users

Industry View:

• Many apps are deeply integrated into operating systems
• Forced removal may compromise system stability

7. Mandatory Notification of Software Updates

• Manufacturers must inform the National Centre for Communication Security (NCCS) before releasing major software updates

Industry Objection:

• Impractical during zero-day vulnerabilities
• Delays could expose users to active cyber threats

8. Tamper Detection (Rooting / Jailbreaking)

• Devices must detect tampering and display persistent warnings

Challenge:

• No universally reliable detection mechanism exists across devices

9. Anti-Rollback Protection

• Blocking installation of older software versions, even if manufacturer-signed

Concerns:

• No global standard
• Restricts legitimate use cases such as debugging or enterprise testing

Key Challenges and Way Ahead

Data Security vs Proprietary Rights

• Risk of exposing trade secrets
• Need for risk-based regulation focusing on critical vulnerabilities rather than blanket controls

Lack of Global Precedent

• Potential regulatory overreach
• Align standards with OECD and EU cybersecurity norms

Ease of Doing Business

• High compliance costs may deter investment
• Need for time-bound clearances for security updates

Operational Practicality

• Storage constraints, battery drain, update delays
• Explore independent third-party security audits instead of direct source code disclosure

Innovation and R&D Concerns

• Over-regulation may discourage innovation
• Balance national security with privacy and technological competitiveness