India orders device makers to put government-run security app on all phones

Summary

Consumers can also use the app or website to check the number of mobile connections in their name and report any that appear to be fraudulent. Priyanka Gandhi of the Congress Party, a member of Parliament, said that Sanchar Saathi “is a snooping app… It’s a very fine line between ‘fraud is easy to report’ and ‘we can see everything that every citizen of India is doing on their phone.'” She called for an effective system to fight fraud, but said that cybersecurity shouldn’t be “an excuse to go into every citizen’s telephone.” App may need “root level access” Despite Scindia saying the app can be deleted by users, the government statement that phone makers must ensure its functionalities are not “disabled or restricted” raised concerns about the level of access it requires. While the app store version can be deleted, privacy advocates say the order’s text indicates the pre-installed version would require deeper integration into the device. The Internet Freedom Foundation, an Indian digital rights advocacy group, said the government directive “converts every smartphone sold in India into a vessel for state mandated software that the user cannot meaningfully refuse, control, or remove. For this to work in practice, the app will almost certainly need system level or root level access, similar to carrier or OEM system apps, so that it cannot be disabled. That design choice erodes the protections that normally prevent one app from peering into the data of others, and turns Sanchar Saathi into a permanent, non-consensual point of access sitting inside the operating system of every Indian smartphone user.” The group said that while the app is being “framed as a benign IMEI checker,” a server-side update could repurpose it to perform “client side scanning for ‘banned’ applications, flag VPN usage, correlate SIM activity, or trawl SMS logs in the name of fraud detection. Nothing in the order constrains these possibilities.”