This from an email this morning:
The Government of India recently issued a directive requiring phone manufacturers to preinstall a state-developed mobile application (Sanchar Saathi) at the operating-system level for all devices manufactured or imported into India. While positioned as an anti-fraud and anti-theft measure, the app is engineered with capabilities that allow location tracking, message and image extraction, and audio monitoring at the device layer. These capabilities would exist outside normal privacy controls and could be invoked without user consent.
Although the government has announced it will “reconsider” the mandate following significant pushback, the underlying risk remains unchanged:
Any workforce, contractor, or vendor operating in India may be required to use mobile devices with pre-installed state-intercept capabilities.
Why it matters:This is especially relevant for us because many departments currently have India-based contractors/vendors with access to Corporate data.
Compounding this risk, India is already listed among countries whose certificate authority (CA) roots of trust are injected into Apple and Google devices by default, enabling lawful intercept and SSL spoofing at the OS trust-anchor layer (see attached, page 4 for India) .
What this means for us:From a security posture perspective, devices in India can be compelled to intercept or reroute communications, harvest credentials, and potentially access application-layer data. This creates a non-trivial exposure pathway for any corprorate data accessed from those devices.
Recommended next steps: Inventory & AssessValidate which of your departments India-based vendors or contractors have logical access to departments systems or datasets.
Classify the sensitivity of any data they can access.
Review Contractual & Regulatory ObligationsEvaluate whether exposure of data through compelled OS-level surveillance could create compliance or contractual liabilities.
Prepare Leadership AwarenessThis development aligns with a broader global trend of state-mandated device manipulation. We should ensure our executive leadership team remains informed and aligned on Corporate risk appetite and safeguards.
Strengthen Credential Protections
Require MFA using methods resilient to mobile credential harvesting.
Rotate credentials for any user traveling to or working from India, aligned with best-practice mobile hygiene guidance.
Apply Zero-Trust ControlsRestrict access from unmanaged or high-risk geographies.
Require secure, monitored virtual desktops or hardened access pathways for any India-based work.
Sources:
New York Times -
https://www.nytimes.com/2025/12/02/business/india-tracking-app-sanchar-saathi.htmlReuters -
https://www.reuters.com/world/india/india-cyber-safety-app-mandate-breach-privacy-main-opposition-party-tells-2025-12-03/
