India expands digital surveillance as Sanchar Saathi app mandate hits Apple and other smartphone makers

India’s latest digital policy move has sparked alarm as the government pushes the Sanchar Saathi app across smartphones, raising fresh questions over privacy and surveillance.

Government order targets all new smartphones

The Indian government has ordered Apple and other smartphone manufacturers to pre-install a state-owned “security” application on every device sold in the country. Moreover, the order requires that the app cannot be removed by users once it is installed.

According to a Reuters report, even existing device owners will not be exempt. The Department of Telecommunications, or DoT, has instructed Apple and other handset makers to push the app via update to phones already in use, extending the measure far beyond upcoming models.

Details of the November 28 directive

The confidential order, dated November 28 and seen by Reuters, gives major smartphone manufacturers 90 days to ensure that the government’s Sanchar Saathi application is pre-installed on all new mobile phones. However, the directive goes further by including a provision that prevents users from disabling or uninstalling the tool.

For devices already moving through the supply chain, manufacturers must deploy the software to phones via over-the-air updates, the ministry stated in the order. That said, the document was not made public and was instead sent privately to a select group of companies, including Apple, raising transparency concerns.

The measure effectively creates an indian government app mandate across both new and existing devices. However, there is no opt-out mechanism for consumers, which intensifies worries among digital rights advocates and security experts.

Sanchar Saathi and phone tracking concerns

Authorities are presenting the sanchar saathi app as a public safety tool designed to help users recover lost or stolen phones. The platform can already block or trace handsets reported as missing. However, critics argue that universal installation will also ensure that all smartphones in India can be tracked by the state.

Moreover, privacy campaigners fear that the combination of persistent installation and the inability to remove the software creates an always-on layer of potential surveillance. While the government highlights consumer protection, the lack of clear oversight or an independent audit process increases skepticism about its real-world use.

IMSI access and encrypted messaging

India Express reports that this latest step comes on top of another DoT policy that pushes encrypted communication services toward deeper integration with telecom identifiers. The earlier dot directive imsi access move requires end-to-end encrypted messaging apps to link user accounts with the unique electronic serial details of the SIM.

Currently, platforms such as WhatsApp verify users by sending a one-time password, or OTP, to a registered mobile number. However, to comply with the DoT instruction, they will need to begin accessing the International Mobile Subscriber Identity, or IMSI, stored on SIM cards. The IMSI is a unique numeric identifier that tags every mobile subscriber worldwide.

Because SIM cards in India cannot be purchased without valid government-issued identification, tying encrypted chat accounts to IMSI data would allow authorities to map any user to a verified real-world identity. That said, this approach fundamentally reshapes how end to end encryption rule frameworks operate in practice, even if message content remains cryptographically protected.

Implications for privacy and digital rights

The combination of mandatory phone software and deeper SIM-level integration suggests a structural shift in India’s digital governance model. Moreover, it blurs the line between consumer safety and systemic phone tracking by government, as technical capabilities expand faster than legal safeguards.

Critics warn that tying WhatsApp and similar services to unique subscriber numbers could enable comprehensive user mapping, including social graphs and behavioral patterns. However, there is little public information about data retention limits, access controls, or judicial oversight associated with these new requirements.

Digital rights advocates argue that such measures may have a chilling effect on free expression, especially for activists, journalists, and political opponents. Furthermore, the opaque nature of the DoT directives, combined with the absence of robust data protection legislation, heightens concerns around mission creep and misuse.

Apple, iOS ecosystem and compliance pressure

The order places particular pressure on Apple iOS forced install policies, given Apple’s traditional marketing focus on privacy and user control. However, the company must still comply with local regulations to maintain access to the vast and growing Indian smartphone market.

For users, the inability to remove or disable the pre-install government app reduces control over their own devices. Moreover, mandatory updates that inject state-owned software into phones already in circulation raise additional security questions, such as the risk of expanded attack surfaces if the app contains vulnerabilities.

Although the government emphasizes theft prevention and consumer protection, transparency about the sanchar saathi app use, data flows, and audit mechanisms remains limited. Until clearer safeguards and independent oversight are defined, the balance between public safety and individual privacy in India will likely remain sharply contested.

In summary, the November 28 directive and related DoT policies signal a decisive move toward tighter state control over the mobile ecosystem, from hardware to encrypted apps. How Apple, other manufacturers, and global messaging platforms respond in the coming months will shape the trajectory of digital rights and surveillance in one of the world’s largest smartphone markets.