What It Is, How It Works & What Users Should Know

The DoT earlier told companies that the application cannot be deleted, restricted or disabled by users. However, following concerns over mandatory installation, Telecom Minister Jyotiraditya Scindia clarified on Tuesday (December 2) that it is optional.

“If you want to delete the app, you can, it is not mandatory. For instance, if you don’t want to use the app, don’t register for it, it will stay dormant, and delete it if you want to… Every citizen in the country does not know that this app exists to protect them from digital frauds and theft, and it is our responsibility to make the app available to everyone,” Scindia said.

Apart from pre-installing the app on all new devices sold, the DoT has directed that a software update with the application be issued to already-sold phones. The DoT’s directive was first reported by Reuters. Here is what to know.

The DoT directive, issued on November 28 under the Telecommunication Cybersecurity Amendment Rules, 2025, sparked criticism over privacy and surveillance issues. The diktat effectively meant that users had no say in whether they wanted to use the app, and no option to remove it if their phone came preinstalled with it.

“…this converts every smartphone sold in India into a vessel for state mandated software that the user cannot meaningfully refuse, control, or remove. For this to work in practice, the app will almost certainly need system level or root level access, similar to carrier or OEM system apps, so that it cannot be disabled. That design choice erodes the protections that normally prevent one app from peering into the data of others, and turns Sanchar Saathi into a permanent, non-consensual point of access sitting inside the operating system of every Indian smartphone user,” Delhi-based digital rights group, Internet Freedom Foundation, said in a statement.

Apart from this, its privacy policy and user data access requirements have raised concerns and have been flagged by at least one open-source application testing service.

Story continues below this ad

This is the first time the government has issued a directive mandating the installation of a state-backed application on phones. While such a move would be unusual in most Western democracies, it is not entirely without precedent. Russia recently directed smartphone companies to preinstall the state-backed messaging platform MAX, a rival to WhatsApp, which critics say could be used to track users.

Besides, when the Telecommunications Act was being finalised in 2023, several concerns were raised that the law might be broad and cover online platforms as well. While the government had then said that no such overlaps would happen, the telecom cybersecurity rules, which draw their powers from the Telecom Act, are now being used to issue directions to tech companies.

Understanding Sanchar Saathi’s privacy architecture

Here’s a look at the personal data that Sanchar Saathi has access to, and the red flags that a prominent open-source application testing service has raised on the permissions that it seeks:

*Registration with a phone number is mandatory and happens automatically on Android devices, without the user’s explicit consent.

Story continues below this ad

*Users who wish to use the app’s features are required to mandatorily register on the Sanchar Saathi app using their phone number. It says registration is required “to identify the mobile number using the…services of the app”.

*On Android devices, the registration happens “automatically,” as per FAQs in the Sanchar Saathi app, as it can detect the active mobile number in the phone and send an automatic message for registration to the DoT. However, on iOS devices, users have to press send on the registration message; it does not get sent automatically.

*The directive has also raised red flags among smartphone makers, who are arguing that it would require big operating system-level changes. Surveillance and privacy concerns stem from the fact that it is a government-backed app. The state and its agencies are eligible for blanket exemptions under India’s Data Protection Act, and some view it as the Centre seeking greater control over the internet.

What Sanchar Saathi can access on users’ phones

On Android devices, the Sanchar Saathi app seeks the following permissions:

Story continues below this ad

*Make and manage phone calls: to detect mobile numbers on the phone.

*Send SMS: To complete registration by sending the automatic message to DoT.

*Call/ SMS Logs: To report any calls/SMS in the facilities offered by the Sanchar Saathi App.

*Photos and files: To upload the image of a call/SMS while reporting them, or while reporting lost or stolen mobile phones.

Story continues below this ad

*Camera: For scanning the barcode of the MEI (International Mobile Equipment Identity, or a unique code for each phone) to check its genuineness.

Notably, on iOS devices, the app does not seek permissions to make and manage phone calls and automatically send a text message, presumably because of guardrails present within the operating system. On Apple devices, the Sanchar Saathi app only seeks permission to access photos, files and the camera.

Sanchar Saathi’s data collection and privacy policy

An analysis of Sanchar Saathi’s Android application (.apk file) on the open source application testing service Mobile Security Framework (MobSF) found that several codes allow the app to undertake multiple tasks related to user data.

It can take pictures and videos with the camera, read call logs, read data from external storage (like memory cards), and access phone features which can “can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on”. According to MobSF’s analysis, all these permissions fall under the “dangerous” category.

Story continues below this ad

The platform’s short privacy policy states that the application does not automatically capture any personal information without prior notification. If personal information is requested, the user will be informed of the purposes, and “adequate security measures will be taken” to protect that data, it states. It prohibits sharing personally identifiable information (PII) with third parties (public/private), except when required by law enforcement.

“If the application requests you to provide personal information, you will be informed for the particular purposes for which the information is gathered and adequate security measures will be taken to protect your personal information,” the policy states.

However, the app’s privacy policy lacks some elements that are considered the industry standard for privacy. For instance, it has no explicit statement about users’ rights, does not allow users to request a correction or, more importantly, deletion of their data from the app, and has no opt-out mechanism. Based on the privacy policy, it is unclear how long it stores the data it has access to.

Also, in its developers’ declaration section on Apple’s and Google’s app stores, the DoT has declared that the application does not collect any user data. However, that is simply not accurate, as the app does collect different types of personal data, including users’ phone numbers upon registration, photos, and call and SMS logs.

Queries sent to the DoT remained unanswered until publication.