India backs off from requiring government-made security app

The Indian government on Dec. 3 revoked an order that originally directed leading smartphone makers such as Apple and Samsung to install the state-developed “Sanchar Saathi” app on all new phones.

The reversal came after at least two days of criticism by tech industry groups and domestic political opponents warning that the mandate was an autocratic approach that would lead to the government spying on its citizens.

Security industry professionals generally said India’s government made the right decision, pointing to the model in the EU’s GDPR and the upcoming Cyber Resilience Act as more transparent in that it mandates security outcomes on vendors versus installing a government-made mobile app.

 “The fundamental problem with India's approach wasn't the goal of improving mobile security, it was the implementation: closed-source code, root-level access, no independent audit, and no user control,” said Michael Bell, chief executive officer at Suzu Lab.

Bell added that perfect security and perfect privacy are fundamentally in tension — and any system that claims otherwise is lying.

“We can shift the burden,” said Bell. “Instead of governments monitoring citizens, require device manufacturers and app developers to meet security baselines, mandate transparency about data collection, and give users genuine control.”

Krishna Vishnubhotla, vice president, product strategy at Zimperium, pointed out that the Sanchar Saathi app has been available for nearly two years and has more than 10 million users, offering several helpful features for citizens. But in a country with roughly 700 million smartphones, Vishnubhotla said overall adoption remains low, so the government’s push to broaden access was understandable.

“Smartphones now sit at the center of both personal and professional life, and they have become a primary entry point for scamming citizens and breaching the employers they work for because they are often the least protected devices we rely on,” said Vishnubhotla. "Strengthening mobile security has become essential to nations, but these devices are also deeply personal. Broad adoption will depend on clear transparency about why specific permissions are required, how those permissions protect citizens, and what the app does not collect or do.”

Concerns regarding government overreach with app installation

Damon Small, board member at Xcape, Inc., said the Indian government’s attempt to mandate the Sanchar Saathi app was a concerning overreach. Experts warned that forcing software with root-level access turns smartphones into vessels for state surveillance, raising fears similar to those surrounding Pegasus spyware developed by Israel, said Small.

“While the goal of protecting citizens from fraud makes sense and notable, achieving it through coercion rather than partnership with private manufacturers, like Apple, creates a dangerous precedent,” Small said. “Mandating this tool is like the police insisting on installing a specific safety lock on the front door that they keep a master key for. Even if they intend to stop burglars, it fundamentally strips the homeowner of the right to privacy within their own home.”

George McGovern, a vice president at Approov, added that government initiatives to reduce mobile-enabled crime through citizen-facing apps are laudable, but making government apps mandatory would set a deeply troubling precedent, noting that the apps installed on an individual’s device must always stay a personal choice.

“In addition to privacy concerns, there’s certainly security concerns, said McGovern. “Security doesn’t arise from who publishes an app, but from implementation and ongoing measures to sustain an app’s integrity and behavior. Without strong safeguards like runtime attestation and zero-trust principles, any apps could become new vectors for abuse, surveillance, or exploitation — even if well-intentioned.”

Jim Dolce, chief executive officer at Lookout, said today’s enterprises must take a privacy-first approach that ensures that sensitive personal information remains protected, even as organizations monitor for threats. By respecting user boundaries while defending against phishing, malware, and data leaks, Dolce said mobile security tools can balance protection with trust, enabling strong security without sacrificing individual privacy.

Dolce said we can do this via anonymized identity protection that gives organizations the option to de-identify user data, allowing administrators to secure devices without accessing personally identifiable information. Companies should also collect only the data necessary to detect and remediate threats and nothing more.

Here are some ways Dolce said teams can balance security with privacy: