India Mandates Undeletable Security App on All Smartphones

India has ordered all major smartphone manufacturers to preload a permanent, undeletable government security app — Sanchar Saathi — onto every new device sold in the country. 

The directive applies to Apple, Samsung, Xiaomi, Vivo, Oppo, and any other vendor selling into India’s massive telecom market. 

The move immediately sparked concern about surveillance risk, user autonomy, and unprecedented state control over consumer devices.

As Reuters (2025) reported, attorney Mishi Choudhary said, “The government effectively removes user consent as a meaningful choice.”

Key Features of India’s Mandatory Security App

Sanchar Saathi, originally launched as a web portal, has been reframed as a mandatory mobile security platform integrating directly into the operating system. 

The app bundles several anti-fraud tools, including:

• Chakshu, a reporting mechanism for suspicious calls and messages
• Lost/Stolen phone blocking, linked to the Central Equipment Identity Register
• Know Your Mobile Connections, allowing users to identify SIMs registered under their identity
• Device authenticity checks to verify hardware and IMEI validity

The government highlights the platform’s successes — claiming it has helped trace over 700,000 lost or stolen phones. But the requirement that the app be unremovable triggered immediate pushback.

Device makers fear forced installation undermines user trust and violates long-standing platform principles, especially for companies like Apple that prohibit preinstalled third-party apps with elevated system access. 

Privacy organizations argue the mandate opens the door to intrusive monitoring, even if the government denies any surveillance intent.

Security Impact of Mandatory System Apps

Unlike typical mobile apps, Sanchar Saathi must be embedded as a system-level component, giving it privileged access to device identifiers, network interfaces, and fraud-reporting workflows. 

While none of this inherently signals malicious functionality, the lack of choice — and the requirement that the app be non-removable — dramatically changes the device security model.

For security teams, the concerns include the following:

• Expanded attack surface: System apps with elevated permissions may introduce new security risks if vulnerabilities arise.
• Mandatory data pathways: Fraud reporting and device checks may create centralized logs or metadata flows that enterprises cannot opt out of.
• Regulatory uncertainty: Companies must comply with a rapid, unilateral mandate with little technical guidance or transparency.
• Supply-chain implications: The requirement to preload software affects manufacturing pipelines, OTA updates, and device certification processes.

Although there is no evidence yet that the app is currently being used for surveillance, critics warn that system-level apps open the door to feature creep or future directives that could mandate deeper data collection.

Protecting Data from Mandatory Government Apps

While consumers cannot remove Sanchar Saathi, organizations can take steps to minimize risk and maintain compliance:

• Update BYOD and mobile fleet policies to ensure MDM solutions account for the mandatory app and its interaction with enterprise configurations.
• Monitor mobile devices for unexpected system behavior by inspecting network traffic, VPN activity, and anomalous communication patterns.
• Strengthen mobile privacy controls by encrypting corporate data, enforcing containerization, and isolating work data from system-level apps.
• Limit mobile access to sensitive internal systems by applying segmentation and zero-trust principles to device authentication and authorization.
• Use mobile threat defense tools to detect risky permissions, unusual app behavior, or potentially unsafe data flows from preloaded system apps.
• Minimize corporate data stored on mobile devices by enforcing cloud-first access models and reducing reliance on local storage.
• Prepare clear communication for employees and review legal, regulatory, and data-handling obligations to ensure compliance with regional requirements such as GDPR and the DPDP Act.

Taken together, these steps help organizations stay secure and compliant despite the challenges posed by mandatory system apps.

The Global Implications of India’s App Mandate

India’s mandate reflects a broader global shift in how governments view mobile security: smartphones are increasingly treated as frontline instruments for combating fraud, cybercrime, and misinformation. 

Yet as security functions move deeper into the operating system, the boundary between legitimate protection and potential government overreach becomes harder to distinguish. 

Requiring undeletable government apps — especially those with system-level access — sets a powerful precedent, one that may influence regulators not only within India but across other locations.

This evolving landscape reinforces why zero-trust principles are becoming essential for managing device security and access.