By ByteBot
India’s government withdrew a controversial order yesterday (December 3, 2025) that would have forced Apple, Samsung, and all smartphone makers to pre-install a state-run cybersecurity app called “Sanchar Saathi” on every device sold in India. The reversal came just five days after the November 28 directive, following fierce resistance from Apple—which refused to comply—and backlash from opposition politicians, privacy advocates, and major media outlets warning of surveillance overreach.
This is a rare victory for digital rights and platform security. If India had succeeded in mandating government backdoors on 1.4 billion devices, every authoritarian regime would have followed. Apple’s refusal protected users worldwide, not just in India.
Cybersecurity App With a Backdoor Problem
The November 28 order gave manufacturers 90 days to pre-install Sanchar Saathi on all new smartphones, with the app “readily visible and accessible” at first use and its features “not disabled or restricted.” The official purpose: combat fraud by tracking stolen phones via IMEI numbers and reporting suspicious calls. However, the real concern was clear: pre-installed government app with system access equals potential surveillance backdoor.
Congress MP Randeep Singh Surjewala warned in Parliament that “such compulsorily installed app can have a backdoor, thereby absolutely compromising the data and privacy of the user.” He specifically cited fears of real-time geo-location tracking, search history monitoring, and conversation surveillance.
Pre-installed apps bypass the fundamental security model of modern platforms. When you download an app voluntarily, you review permissions and choose whether to trust it. Mandatory pre-installation removes that choice, granting government software system-level access without users ever consenting. If Sanchar Saathi was legitimate security software, users would choose to install it themselves.
Apple’s Decisive Refusal Forced Government Retreat
Apple told the Indian government it “does not follow any such mandates anywhere in the world” and would not pre-install Sanchar Saathi on iPhones. Samsung also reviewed the order with clear reluctance. Facing a standoff with the world’s most valuable tech company, the government backed down within five days.
This isn’t Apple’s first stand against government backdoors. In 2016, the FBI demanded a backdoor to unlock the San Bernardino shooter’s iPhone. Tim Cook refused, arguing that “such software would allow the US government and any other actors who acquired it to access any iPhone in the world.” The same year, China requested iPhone source code. Apple’s General Counsel testified under oath: “We refused.” More recently, the UK demanded Apple compromise iMessage encryption. Apple refused again.
Apple isn’t doing this out of altruism—it’s protecting its global brand and user trust. Nevertheless, the effect is the same: when Apple refuses to compromise platform security for one government, it protects users everywhere. If Apple had caved to India, every country from China to Russia to Iran would demand the same.
Russia and China Already Mandate Surveillance Apps
“Cybersecurity” and “fraud prevention” are common cover stories for surveillance infrastructure. Russia now mandates the MAX messenger app on all smartphones, which lacks end-to-end encryption by design and shares metadata, calls, location, and activity with authorities. Meanwhile, China’s WeChat operates under laws requiring data sharing with the government, and state security police can search devices without warrants.
India’s Sanchar Saathi followed the exact same playbook: legitimate-sounding purpose (track stolen phones), mandatory installation (no user choice), system-level access (deep permissions), government control (can update and modify), and vague data collection policies. The only difference is that India’s attempt failed.
If a government app was actually about fraud prevention and user security, it wouldn’t need to be mandatory. Developers would voluntarily download it. The fact that India tried to force installation—bypassing user consent—reveals the real intent. This isn’t unique to India; it’s a global surveillance playbook. The “cybersecurity” excuse is a trojan horse.
Why Pre-Installation Breaks Platform Security
Modern mobile security is built on user consent and app isolation. Users choose which apps to install, grant specific permissions during setup, and can uninstall apps they don’t trust. App stores (Apple App Store, Google Play) review apps before distribution. Pre-installed government apps bypass all of these protections: no user choice, no app store review, no clear permission boundaries, and often can’t be uninstalled.
Once the principle of mandatory government apps is established, there’s no logical stopping point. If India can mandate a “fraud prevention” app today, why not a “terrorism monitoring” app tomorrow? Why not a “content moderation” app? Pre-installation breaks the trust chain between user, device manufacturer, and operating system. It’s not just about this one app—it’s about the precedent.
India May Try Again
India’s Communications Ministry cited “increasing voluntary adoption” as the reason for withdrawing the mandate. That phrasing leaves the door open: if voluntary adoption is deemed insufficient, the government could try again. Furthermore, the order was revoked, not ruled unconstitutional. Other countries are watching—Indonesia, Pakistan, Bangladesh have similar fraud problems and could cite India’s attempt as precedent.
Developers, manufacturers, and users need to stay vigilant. Governments that try once will try again with modified versions. The battle for platform security and user privacy isn’t won with one successful resistance—it’s an ongoing effort requiring constant pushback against surveillance creep.
