FACTBOX-India's proposed phone security rules that are worrying tech firms

By Munsif Vengattil and Aditya Kalra

NEW DELHI, Jan 11 (Reuters) - Below are key security requirements India is proposing for smartphone makers like Apple and Samsung, prompting opposition from tech companies, according to four sources, as well as industry and government documents seen by Reuters.

SOURCE CODE DISCLOSURE:

Manufacturers must test and provide proprietary source code for review by government-designated labs to identify vulnerabilities in phone operating systems that could be exploited by attackers.

Industry group MAIT, which represents Apple AAPL.O, South Korea's Samsung 005930.KS, Google GOOGL.O, China's Xiaomi 1810.HK, has told the government this is "not possible" due to corporate secrecy and global privacy policies.

BACKGROUND PERMISSION RESTRICTIONS:

Apps cannot access cameras, microphones or location services in the background when phones are inactive. Continuous status bar notifications are required when these permissions are active.

Manufacturers say this lacks any global precedent and there is no specific test method prescribed.

PERMISSION REVIEW ALERTS:

Devices must periodically display warnings prompting users to review all app permissions, with continuous notifications. Companies say notice should be limited to "highly critical" permissions.

ONE-YEAR LOG RETENTION:

Devices must store security audit logs, including app installations and login attempts, for 12 months.

MAIT argues consumer phones lack the storage capacity for a year of data.

PERIODIC MALWARE SCANNING:

Phones must periodically scan for malware and identify potentially harmful applications.

Manufacturers warn that constant on-device scanning significantly drains the battery and slows hardware performance.

OPTION TO REMOVE PRE-INSTALLED APPS:

All pre-installed apps bundled with the phone operating system, except those essential for basic phone functions, must be deletable.

Companies argue many apps are critical system components that cannot be removed.

INFORMING GOVERNMENT OF MAJOR UPDATES:

Phone makers must notify a government organisation before releasing any major updates or security patches.

Manufacturers argue this is "impractical" because security fixes must be released quickly to protect users from active exploits, while government delays could leave users vulnerable.

TAMPER-DETECTION WARNINGS:

Devices must detect if phones have been rooted or "jailbroken", where users bypass built-in security restrictions, and display continuous warning banners to recommend corrective measures.

Companies say there is no reliable mechanism to detect jailbreaking.

ANTI-ROLLBACK PROTECTION:

Phones must permanently block installation of older software versions, even if officially signed by the manufacturer, to prevent security downgrades.

There is no global standard related to this requirement, manufacturers say.