On November 28, 2025, the Indian government quietly directed all smartphone manufacturers to pre-install a government app called Sanchar Saathi on every new device sold or imported into the country, according to media reports.
Citing a “serious endangerment to telecom cyber security” from duplicate or spoofed IMEIs, the directive requires the app to be present on all upcoming smartphones and states that its functionalities cannot be “disabled or restricted,” effectively making it a permanent part of the operating system.
According to the Google Play Store’s permissions listing for the current version, the app may request access to the camera, call logs, SMS, and the phone’s stored photos and videos.
These unusually sweeping requirements, which amount to giving a government app unrestricted access to the most sensitive parts of a person’s phone, have set off alarm bells among lawyers, security researchers and digital rights groups.
The outrage has spilled offline and online, with opposition leaders and social-media users calling it a full-blown “Big Brother” move, invoking Orwell’s ever-watchful surveillance state from 1984.
Permanent Government Presence On Personal Devices
Shortly after the directive became public, the Internet Freedom Foundation (IFF), a digital rights non-profit, issued a statement warning of a “sharp and deeply worrying expansion of executive control over personal digital devices.”
IFF also pointed out that the Department of Telecommunications (DoT) has still not published the full text of the order, leaving civil-society groups dependent on versions circulated by the media. RTI requests have since been filed to obtain the official document.
According to IFF, the core concern lies in Clause 7(b), which requires the app to be “readily visible” and ensures that its functionalities “are not disabled or restricted.” In effect, this would treat Sanchar Saathi as a system-level component embedded into the operating system—enjoying privileged access and, for most users, impossible to meaningfully control or remove.
Viewed through the Supreme Court’s Puttaswamy ruling, IFF argues that this structure cannot satisfy the proportionality test, which requires any privacy-limiting measure to use the least intrusive means available. IMEI-checking and device-verification already exist through CEIR, SMS-based Know Your Mobile (KYM) services, and USSD codes—none of which require a permanent, non-removable app running in the background.
“There is no technical explanation in the order for why a one-time or occasional verification exercise justifies a resident, non-removable application with elevated privileges that lives on the phone for the lifetime of the device,” IFF’s statement notes.
Laying The Groundwork For Unrestricted Surveillance
Legal experts and security researchers note that the primary risk stems from the future capabilities a permanent, government-controlled system app could be given.
Apar Gupta, digital rights lawyer and co-founder of IFF, tells BOOM that embedding a non-removable government app inside the OS “normalises a privileged state presence on every device,” creating a pathway that can be expanded through subsequent updates.
According to Gupta, future software pushes could allow Sanchar Saathi to:
- map installed apps,
- flag “unapproved” or “banned” applications,
- detect VPN use,
- build fine-grained location histories,
- correlate device identifiers with Aadhaar, bank accounts or travel records, or
- run on-device scans under broad headings such as “fraud detection” or “disinformation control.”
“None of this needs a new app; it just needs new code pushed into an existing, trusted channel that the user cannot meaningfully refuse,” he added, noting that this sets up both the technical and legal groundwork for client-side surveillance, with future expansions becoming relatively frictionless.
Independent security researcher Karan Saini, who has previously uncovered vulnerabilities in systems linked to Aadhaar and the Election Commission of India, notes that the danger isn’t limited to surveillance.
According to him, even if the app never expands its functions, a privileged, non-removable app of this kind does not need to be malicious to be risky, as “it can simply be vulnerable and be open to exploitation by other applications on the phone.”
High Risk, No Returns
Saini adds that the government’s technical justification in the directive is incorrect. “Android and iOS applications cannot access device IMEI,” he says. “So the notion that this, or any other application could prevent spoofing or cloning of IMEI is flawed and unfounded.”
He also questions the practical value of turning Sanchar Saathi into a non-removable component. “Beyond making it easier for users to access the few provided utilities, which aren’t particularly novel or groundbreaking, there’s no value,” he says. Technically skilled users, he adds, would still be able to disable or remove it.
His larger concern is the kind of visibility the app grants the state. “Plain and simple, this gives the government visibility that they’ve never had before,” he says. “It shows who owns which phone. Until now, that information sat only with telecom operators and network providers. If the app is installed by default, the analytics it collects will allow the government to build those profiles directly."
Does DoT Even Have Jurisdiction Over Phones?
The order raises a fundamental jurisdiction question, as per Gupta.
DoT’s statutory authority traditionally covers telecom networks, telcos, and licensed services, not every handset or personal device that connects to those networks. “DoT is using ‘telecom cyber security’ as the hook to push a mandatory app directly into the handset supply chain,” he says. “That is at least a serious jurisdictional question.”
Gupta notes that when the Telecom Act and the Cyber Security Rules were being debated, civil society groups flagged vague language that could allow DoT to expand its reach over “OTT applications.” This mandate, he argues, is a real-world example of that concern materialising.
He also notes the confusion created by conflicting public statements on whether the app can be removed, pointing to Union Minister Jyotiraditya Scindia’s claim that users could delete it, even though the leaked directive states its functionalities “are not disabled or restricted.”
“In law, what binds you is the written order, not what an official says later to a reporter,” Gupta notes. “If the order says, in substance, that the app must be pre-installed and its functionalities must not be disabled or restricted, that points to a non-removable or effectively non-disableable app."
"If later a DoT official tells the press “don’t worry, you can uninstall it,” but the text of the order is not amended, we are left in a zone of confusion. That inconsistency weakens legal certainty, and a court can read it as lack of application of mind or arbitrary exercise of power," he adds.
By December 2, 2025, several telephone users across India reported receiving the following message promoting Sanchar Saathi:
“Need to check if your mobile is genuine?
Download Sanchar Saathi to check
Android: https://bit.ly/3ZR4H3P
iOS: https://apple.co/4554aik
Department of Telecom
Uncertain Path Ahead
The mandate’s fate may now hinge not only on legal and technical scrutiny but also on whether major smartphone makers comply.
According to Reuters, Apple has already decided not to preload the app on its devices in India and plans to raise its objections with the government. Other manufacturers are still assessing the directive and have not confirmed how they intend to implement it.
For now, the directive exists only in leaked form, with no public implementation roadmap, no technical specification for manufacturers and no published safeguards for users. Until the government releases the final order, it remains unclear whether the mandate will proceed, be amended or face pushback strong enough to halt it entirely.