A bid by the Indian government to require smartphone makers to preload a state-run cybersecurity app could have offered citizens extra protection against phone theft - but experts say it also opened the door to serious privacy risks. The plan sparked public backlash, leading India to withdraw the mandatory rollout of the Sanchar Saathi app.

Agam Chaudhary, Founder and CEO of Two99, explained to Khaleej Times that while the app had noble intentions, there were issues in the way it was handled.“Preinstalled apps often operate in the background silently,” he said.“Users never asked for them, and yet they remain on the device with privileged access. That creates risks of hidden data collection and a system-level control that the user cannot revoke. In cybersecurity, control equals safety. The less control a user has over their own device, the more fragile the ecosystem becomes.”

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

According to another expert, it was the“right call” to not mandate the installation of the app.“Sanchar Saathi is a useful step toward protecting citizens from SIM fraud, stolen phones, and the rising wave of scam calls,” said Obaidullah Kazmi, founder & CTO of CREDO Technology Services.“But security tools that handle such sensitive data must be built on transparency and trust. The brief move to make the app mandatory created understandable public concern, and withdrawing that decision was the right call.”

Sanchar Saathi, launched by India's Department of Telecommunications, is designed to help users block lost or stolen phones, check if a mobile device is genuine, and identify SIM cards registered under their name. The platform integrates with national telecom databases to curb SIM-related fraud and reduce cybercrime linked to mobile identity theft.

Morey Haber, Chief Security Advisor at BeyondTrust, explained that the app required a broad set of permissions, including access to call logs, permission to send SMS messages during registration, access to the camera and stored images, and access to phone state and device storage.

“Any app with access to calls, SMS, storage, and network connectivity can observe and generate rich metadata, even if the privacy policy describes a narrower use,” he said.“This problem has been the subject of controversy for many social media apps like TikTok.”

Syed Aizad, Lead Security Researcher at Acronis TRU, added the decision to install an app should lie with the user and should not be mandated.“User autonomy, privacy rights, and security best practices require voluntary installation,” he said.“Mandatory apps create security risks, reduce trust, and violate user control principles.

It is now up to the citizens and residents of India whether they want to download the app or not. According to the telecom ministry, so far 14 million users have downloaded the app, reporting 2,000 frauds daily.

Experts say the concern wasn't the idea of the app itself, but the level of access it required and the potential for misuse if preinstalled.

Morey said that the system could potentially be abused by third parties who could collect and transmit call information, phone numbers, and SMS contents; derive location from network information; and read device identifiers and correlate multiple numbers or devices to other entities.“If an app is shipped as a privileged or system app, the risk increases, because it may obtain elevated permissions that regular store apps cannot, and its traffic may be harder for end users to monitor or block,” he said.“That does not prove that Sanchar Saathi is currently doing this, but it means the technical potential exists and must be controlled by design, law, and independent oversight, not only by government assurances.”

Abu Bakker, Founder/CEO of iTAG Technologies, explained why preloading the app was a major risk.“Manufacturers or carriers often install these apps into the system partition, granting them privileged access that regular apps do not have,” he said.“Additionally, these apps frequently bypass the rigorous security checks of app stores like Google Play or the Apple App Store. Preloaded apps are often the weakest link in a device's security chain. Since they are trusted by the operating system by default, they can act as a "Trojan Horse". If a hacker manages to compromise a preloaded app, they inherit its high-level privileges, bypassing the usual security measures that protect the device.”

Agam added that historically any widely deployed, deeply integrated app becomes a high-value target for cybercriminals.“If a vulnerability is discovered, it does not affect one person or one neighborhood,” he said.“It hits an entire nation's devices in one sweep. Threat actors are always searching for the easiest path. A mandatory system app with elevated rights can become that path.”

MENAFN04122025000049011007ID1110440578