Full Report
'Sanchar Saathi' shares data to help fight fraud and protect carrier security India’s government has issued a directive that requires all smartphone manufacturers to install a government app on every handset in the country and has given them 90 days to get the job done – and to ensure users can’t remove the code.…
Analysis Summary
# Regulation/Compliance: Mandatory Installation of Sanchar Saathi App
## Overview
This directive mandates that all smartphone manufacturers selling devices in India must pre-install the government-developed "Sanchar Saathi" application on every handset. The goal is to combat telecom fraud, improve cybersecurity for carriers (by addressing issues like spoofed IMEIs), and empower subscribers to report fraud, block lost/stolen devices, and verify handset authenticity. Crucially, manufacturers must ensure the app cannot be removed by the end-user.
## Key Details
- **Issuing Authority:** India’s Department of Telecommunications (DoT).
- **Effective Date:** The directive has just been issued (as of the article timeline).
- **Jurisdiction:** All mobile handsets distributed and used within India.
- **Status:** Final Directive, immediate compliance required.
## Requirements
### Mandatory Requirements
1. **Mandatory Installation:** All smartphone manufacturers must install the "Sanchar Saathi" app on every handset sold in the country.
2. **Pre-installation and Visibility:** The app must be pre-installed, "visible, functional, and enabled for users at first setup."
3. **Accessibility:** The app must be "easily accessible during device setup."
4. **Non-Removability:** Manufacturers must ensure the installed code/app cannot be removed or uninstalled by the end-user.
5. **Feature Integrity:** Manufacturers may not disable or restrict the features of the Sanchar Saathi application.
6. **Software Updates:** The directive extends to existing handsets via mandatory software updates to ensure the app is installed.
### Recommended Practices
1. Ensure clear communication to end-users regarding the app's purpose (fraud reporting, device blocking, IMEI verification).
2. Consult legal counsel regarding data access rights, as the app accesses call logs and messages for reporting purposes.
## Affected Organizations
- **Industries:** Smartphone Manufacturing, Mobile Device Sales, Telecommunications.
- **Organization Size:** All manufacturers selling devices into the Indian market, regardless of size.
- **Geographic Scope:** India.
## Compliance Timeline
- **Directive Issued:** Approximately December 2, 2025 (Based on article date).
- **Final deadline:** **90 days** from the date of the directive for full implementation (installation on new devices and distribution of necessary software updates for existing devices).
## Implementation Guidance
### Assessment Phase
- Inventory all current and future handset models destined for the Indian market to identify those requiring the update/pre-installation.
- Review existing device provisioning and imaging processes to integrate the required app build.
### Implementation Phase
1. **Develop/Obtain Final Build:** Secure the final, approved version of the Sanchar Saathi app from the DoT.
2. **Integration:** Integrate the app into the base operating system image for new devices.
3. **OTA Strategy:** Develop and test an Over-The-Air (OTA) update mechanism targeting activated devices already in use to satisfy the requirement for existing handsets.
4. **Test Non-Removability:** Rigorously test to confirm that standard user controls (including factory resets, if applicable) do not permit user removal of the mandated application.
### Validation Phase
- Conduct internal penetration testing or assurance audits to confirm the app is present, functional, and non-removable on test devices following the required software updates/initial setup.
- Obtain formal sign-off from the DoT or designated regulatory body confirming successful integration prior to the deadline.
## Technical Requirements
- The application must possess the technical capability to access call logs and message data (for reporting suspected fraud).
- Technical controls must be implemented to prevent user deletion or disabling of the application components.
- The app must communicate reported data to the Department of Telecommunications (DoT).
## Penalties & Enforcement
- **Fines:** While specific monetary fines are not detailed in the provided text, non-compliance with government directives typically carries significant financial penalties.
- **Other Consequences:** Potential revocation of operating licenses or inability to sell new hardware in the Indian market.
- **Enforcement:** Enforcement will likely involve monitoring compliance during device certification and potentially auditing devices already in circulation. Previous industry conflicts, such as those over incident reporting, suggest the government is prepared to enforce its rules, though industry feedback may lead to clarification post-issuance.
## Related Standards
- **DoT Regulations:** This directive supersedes general practices and must adhere specifically to the technical specifications published by the Department of Telecommunications (DoT).
- **Cybersecurity Incident Reporting:** Although not directly referenced, this mandate follows similar trends where India has issued aggressive compliance requirements (e.g., the previous strict reporting windows for cybersecurity incidents).
## Resources
- **Official Documentation:** Press Release from the Government of India (link provided in source text, but defanged here: pib[dot]gov[dot]in/PressReleasePage[dot]aspx?PRID=2197140).
- **Guidance Documents:** Specific technical integration guides would be issued by the DoT.
- **Tools:** Manufacturers must use internal QA/testing suites to validate the installation and non-removability post-update.
## Practical Recommendations
1. **Prioritize Update Path:** Develop and rigorously test the OTA update strategy immediately, as meeting the 90-day window for existing devices is often the most challenging aspect.
2. **Data Privacy Review:** Conduct an immediate review of the data access permissions (call logs, messages) to ensure they align internally with the perceived security necessity, even if the mandate requires full access for reporting functions.
3. **Proactive Engagement:** Engage with the DoT early to clarify any grey areas regarding the "non-removable" technical implementation before the deadline expires.