BBC - India has ordered all new smartphones to come pre-loaded with a state-run cybersecurity app, sparking privacy and surveillance concerns.
Under the order - passed last week but made public on Monday - smartphone makers have 90 days to ensure all new devices come with the government's Sanchar Saathi app, whose "functionalities cannot be disabled or restricted".
It says this is necessary to help citizens verify the authenticity of a handset and report the suspected misuse of telecom resources.
The move - which comes in one of the world's largest phone markets, with more than 1.2 billion mobile users - has been criticised by cyber experts, who say it breaches citizens' right to privacy.
Under the app's privacy policy, it can make and manage phone calls, send messages, access call and message logs, photos and files as well as the phone's camera.
"In plain terms, this converts every smartphone sold in India into a vessel for state mandated software that the user cannot meaningfully refuse, control, or remove," advocacy group Internet Freedom Foundation said in a statement.
Amid the growing criticism, India's Minister of Communications Jyotiradtiya Scindia has clarified that mobile phone users will have the option to delete this app if they don't want to use it.
"This is a completely voluntary and democratic system - users may choose to activate the app and avail its benefits, or if they do not wish to, they can easily delete it from their phone at any time," he wrote on X.
The minister did not, however, clarify how this would be done if the app's functions cannot be disabled or restricted.
Launched in January, the Sanchar Saathi app allows users to check a device's IMEI, report lost or stolen phones and flag suspected fraud communications.
An IMEI - the International Mobile Equipment Identity - is a unique 15-digit code that identifies and authenticates a mobile device on cellular networks. The code is essentially the phone's serial number.
In a statement, India's Department of Telecommunications said that mobile handsets with duplicate or spoofed IMEI numbers pose "serious endangerment" to telecom cyber security.
"India has big second-hand mobile device market. Cases have also been observed where stolen or blacklisted devices are being re-sold," it said, adding that this makes the purchaser an "abetter in crime and causes financial loss to them".
Under the new rules, the pre-installed app must be "readily visible and accessible" to users when they set up a device and its functionalities cannot be disabled or restricted.
Smartphone makers must also "make an endeavour" to provide the app through software updates for devices that are out of factories but haven't been sold yet, the statement said.
All companies have been asked to give compliance reports on the order in 120 days.
The government says the move will bolster telecom cybersecurity. A Reuters report, citing official figures, says the app has helped recover more than 700,000 lost phones - including 50,000 in October alone.
But experts say the app's broad permissions raise concerns about how much data it can collect, widening the scope for surveillance.
Technology analyst Prasanto K Roy says the bigger concern is about how much access an app might eventually be allowed on the handset.
"We can't see exactly what it's doing, but we can see that it's asking for a great deal of permissions - potential access to just about everything from flashlight to camera. This is itself worrying," he told the BBC.
On Google's Play Store, the app says it doesn't collect or share any user data. The BBC has reached out to the department of telecommunications with questions about the app and the privacy concerns related to it.
Mr Roy adds that compliance will be difficult, since the order runs counter to the policies of most handset-makers, including Apple.
“Most companies prohibit installation of any government or third-party app before the sale of a smartphone," he says, "barring in China and Russia”.
While India's smartphone market is dominated by Android, Apple's iOS powered an estimated 4.5% of the 735 million smartphones in the country by mid-2025, according to Counterpoint Research.
Apple has not commented publicly, but Reuters reports it does not intend to comply and "will convey its concerns to Delhi".
India is not the only country to have tightened rules on device verification.
In August, Russia ordered all phones and tablets sold in the country to come pre-installed with the state-backed MAX messenger app, sparking similar privacy and surveillance concerns.