India’s Ministry of Communications has ordered all smartphone manufacturers to preinstall the government’s Sanchar Saathi app on devices sold in the country, marking one of the most far‑reaching attempts to hard‑wire a state cybersecurity tool into the consumer mobile ecosystem. Vendors have 90 days to comply, and the requirement applies not only to new devices, but also to phones already in the supply chain via software updates.
Mandatory Sanchar Saathi App: Objectives and Core Capabilities
Sanchar Saathi, developed by India’s Department of Telecommunications (DoT), is positioned as a national platform to combat cybercrime, telecom fraud and abuse of mobile services. The app is available for Android and iOS and integrates several security functions into a single interface.
Through Sanchar Saathi, users can:
- Report suspicious activity involving calls, SMS and WhatsApp messages, helping operators and regulators identify fraud campaigns;
- Block lost or stolen phones, cutting off network access to devices reported as compromised;
- Verify a device’s IMEI (International Mobile Equipment Identity) to detect blacklisted phones or those using cloned / duplicate identifiers;
- Flag and block suspicious international calls that spoof local numbers, a common vector for phishing and social engineering.
According to government figures, since its launch in May 2023 the platform has been used to block more than 4.2 million lost devices, with around 724,000 smartphones reportedly returned to legitimate owners. The app has surpassed 11.4 million installations, underscoring strong user demand for mobile security tools in India’s rapidly expanding digital economy.
Telecom Cybersecurity and the Fight Against IMEI Cloning
Why IMEI Integrity Matters for Network Security
A central focus of Sanchar Saathi is the fight against duplicate and fake IMEI numbers. An IMEI is a unique hardware identifier used by mobile networks to recognize a device. When a phone is stolen or involved in criminal activity, its IMEI can be blacklisted, preventing it from connecting to networks.
If multiple devices share the same IMEI or if the identifier is tampered with, lawful interception, investigation and blocking become significantly harder. Authorities risk seeing the same IMEI active in different locations at once, complicating attribution of fraudulent activity and enabling persistent abuse of telecom infrastructure.
By allowing citizens to check whether a phone is on a blacklist before purchase, Sanchar Saathi is designed to undermine the grey market for stolen or blocked devices. This can increase transparency in the secondary smartphone market and reduce the likelihood that buyers unwittingly become involved in illicit resale chains.
Mitigating Phone Fraud and Social Engineering Attacks
The app also targets phone and messaging fraud, particularly international calls disguised as domestic ones. Such calls are frequently used to trick victims into revealing one‑time passwords (OTPs), banking credentials or other sensitive data.
Centralized reporting of suspicious calls and messages gives telecom operators and regulators a more complete dataset for pattern analysis, blacklisting and threat intelligence. This can help shut down campaigns more quickly and improve filtering rules at the network level.
Privacy Concerns, App Permissions and Industry Pushback
The most controversial aspect of the mandate is the breadth of permissions requested by Sanchar Saathi. According to its listing on Google Play, the app can access SMS content, call logs, the camera, local storage and device identifiers. While many of these permissions are technically necessary for its security features, they also create a high‑sensitivity application from a privacy standpoint.
The government directive requires manufacturers to make the app visible and accessible during initial device setup, and key functions may not be disabled or materially restricted. At the same time, the communications minister has stated publicly that using Sanchar Saathi is “fully voluntary” and that users can uninstall it, an apparent tension that local media have highlighted when comparing public statements with the formal order.
Reuters has reported that Apple has indicated it does not intend to comply with forced preinstallation, citing its consistent global approach to iOS security and privacy. This sets up a potential regulatory clash and raises broader questions about how far national governments can compel integration of state security apps into closed, globally managed platforms.
From a cybersecurity governance perspective, any preinstalled government application with elevated privileges requires maximum transparency: detailed data‑handling policies, independent security and privacy audits, strict access controls for law‑enforcement requests, and user‑friendly mechanisms for consent, revocation and deletion of data.
New SIM-Linking Rules for Messaging Apps in India
The Sanchar Saathi mandate coincides with new obligations for major messaging platforms operating in India, including WhatsApp, Telegram, Signal, Snapchat, JioChat, Arattai and others.
Under the new rules, messaging services must:
- Block access for users whose device does not contain an active SIM card;
- Enforce continuous linkage between accounts and a working SIM within 90 days of the rules taking effect;
- Restrict web sessions (e.g., WhatsApp Web) to a maximum of six hours, after which re‑authentication via QR code is required.
The government argues that criminals exploit the fact that many apps verify a phone number only once during registration and then continue to function even after the SIM is removed or deactivated. Binding accounts to active SIMs is intended to make it harder to run fraud and scam operations at scale.
However, tighter SIM linkage also reduces anonymity and pseudonymity. In environments where SIM registration is tied to official identity documents, this can have a chilling effect on journalists, human‑rights defenders and other high‑risk groups who rely on private communications and burner devices to reduce exposure.
Against this backdrop of stricter regulation, both users and companies should treat mobile security and privacy as strategic priorities. Individuals in India can strengthen their position by carefully reviewing app permissions, enabling two‑factor authentication, using device lock and encryption, and staying informed about evolving digital‑security laws. Service providers operating in the country should conduct rigorous privacy impact assessments, minimize data collection wherever possible and embed security‑by‑design and privacy‑by‑design principles into their architectures to comply with regulation while preserving user trust.
