ITSAR: 83 Security Rules That Could Change Your Smartphone Forever [2026]

Author: BS Raj
itsar smartphone security
Go back More Articles
ITSAR: 83 Security Rules That Could Change Your Smartphone Forever [2026]
India's proposed 83-point ITSAR security framework has Apple, Samsung, Google, and Xiaomi pushing back hard. Here's what's on the table, what the government denies, and why 750 million smartphone users should pay attention.

TL;DR — Verdict

WHAT HAPPENED: India's NCCS has drafted 83 smartphone security rules (ITSAR) that could require manufacturers to share source code, retain logs for 12 months, and get pre-approval for updates.

WHY IT MATTERS: 750 million Indian smartphone users could see delayed security patches, while Apple, Samsung, Google, and Xiaomi warn of IP exposure with no global precedent.

WHO IS AFFECTED: Every smartphone owner in India, manufacturers (Xiaomi 19%, Samsung 15%, Apple 5% market share), and app developers who may need to comply with new permission rules.

WHAT'S NEXT: MeitY-industry meeting scheduled for January 13, 2026. Government says consultations ongoing; Internet Freedom Foundation demands public disclosure of draft rules.

Scroll for breakdown, risks, and what actually matters.

Verdict
Quick Answer: India's proposed ITSAR framework includes 83 security rules for smartphones, potentially requiring source code disclosure and year-long log retention. Best for: Security-conscious observers tracking India's regulatory direction. The catch: Nothing is final, and MeitY calls leaked reports "fake."

Your next Android security patch might take weeks longer to reach you.

That's not speculation. That's what happens when a government wants to review every major software update before you get it. According to Reuters, India is examining a 83-point security framework called ITSAR—Indian Telecom Security Assurance Requirements—that could fundamentally change how 750 million smartphones operate in the country.

Apple doesn't like it. Samsung doesn't like it. Xiaomi definitely doesn't like it. And MeitY, the ministry in charge, says the whole thing is being blown out of proportion.

So who's telling the truth? And more importantly: should you care?

Here's the thing—you probably should.

What Is ITSAR and Why Is Everyone Fighting About It?

ITSAR isn't new. The National Centre for Communication Security (NCCS) has been developing these telecom security standards for years. But according to Business Today, the current draft proposes something unprecedented: requiring smartphone manufacturers to submit their source code to government-approved testing labs.

Let that sink in. The actual underlying code that runs your iPhone or Android phone—available for government review.

The NCCS ITSAR document explicitly states that "source code shall be made available" at a Telecom Security Testing Laboratory for review. And that's just one of 83 proposed requirements. According to The Street, the package also includes:

  1. 12-month log retention: Your phone would need to store system activity logs locally for a full year
  2. Mandatory malware scanning: Regular on-device scans, which industry groups warn could drain battery and consume storage
  3. Background permission restrictions: Apps blocked from using camera, mic, or location when inactive
  4. Update pre-approval: Manufacturers may need to notify NCCS before releasing major software updates

The industry association MAIT argues these requirements have no global precedent. Not in the EU. Not in North America. Not in Australia. Nowhere.

The Denial That Doesn't Quite Add Up

On January 11, 2026, MeitY's official fact-check channel labeled reports about mandatory source code sharing as "fake." According to India TV, PIB Fact Check stated that consultations are routine and no such mandate exists.

But here's where it gets interesting. The Internet Freedom Foundation (IFF) immediately challenged this denial, pointing to publicly available ITSAR draft documents that explicitly mention source code requirements. According to Moneylife, IFF posed six direct questions to the government, including whether the ITSAR draft exists as official policy and why no public consultation has been conducted.

IT Secretary S. Krishnan told Reuters the government was open to hearing industry concerns and that it was "too early to draw conclusions." That's not exactly a denial of the draft's contents—it's a statement that nothing is finalized.

The NCCS document is real. The language about source code review is real. Whether it becomes law is the question.

Why Apple and Samsung Are Actually Worried

You might think this is just corporate whining about having to follow local rules. But according to Domain-b.com, the concerns go deeper than IP protection.

Consider what happens if India requires pre-approval for security patches. A critical vulnerability is discovered. Apple or Google develops a fix. But instead of pushing it to your phone within days, they need to submit it for government review first. That's a window where your device remains vulnerable—not because the fix doesn't exist, but because bureaucracy.

The industry groups also flag practical problems with on-device malware scanning: battery drain, storage consumption, and false positives that could flag legitimate apps. According to startup news outlet StartupNews.fyi, a pivotal meeting between MeitY and tech executives was scheduled for January 13, 2026, to hash out whether the government would soften its stance.

Xiaomi, with 19% of India's smartphone market according to Counterpoint, has the most at stake. Samsung follows at 15%, and Apple—despite its smaller 5% share—has the loudest objections because of its historically tight control over iOS.

What This Means If You're Reading This on Your Phone in India

Right now? Nothing changes.

ITSAR is still in consultation. No final rules have been notified. Your phone will continue receiving updates the same way it does today—for now.

But India is projected to reach one billion smartphone users by 2026. When a market this size implements device-level security requirements, manufacturers don't just comply for India—they often build compliance into their global products. That's why the EU's regulations affect phones worldwide.

If ITSAR passes in its current form, you might see:

  1. Slower security updates — If pre-approval becomes mandatory
  2. Different software — India-specific versions of Android or iOS with compliance features baked in
  3. Privacy trade-offs — Logs stored on your device for a year is data that exists, whether encrypted or not
  4. App restrictions — Background permission changes could break apps that rely on location or mic access while inactive

The Internet Freedom Foundation argues that stakeholder consultation cannot be limited to closed-door meetings with large tech companies. They want the draft released for public scrutiny. That hasn't happened yet.

The Real Question Nobody Is Asking

Here's the twist: the government isn't entirely wrong about security concerns.

India's National Cyber Crime Reporting Portal recorded 22.68 lakh cybersecurity incidents in 2024, up from 10.29 lakh in 2022. According to the Seqrite India Cyber Threat Report 2026, Indian organizations face over 2,000 cyberattacks per week—double the global average. Online fraud is rampant. Data breaches are routine.

Doing nothing isn't a great option either.

The question is whether ITSAR's approach—source code access, log retention, update pre-approval—actually addresses those problems, or whether it creates new ones while solving nothing. Industry groups say the cure is worse than the disease. The government says it's being misrepresented.

The truth is probably somewhere in between. And until MeitY releases the actual draft for public comment, we're all arguing about leaked documents and official denials.

We'll update this article when the government finalizes its position or releases the draft publicly. Until then, your phone works the same way it did yesterday. But the rules governing it might not stay that way forever.