Sanchar Saathi App: What Data the Govt-Mandated App Collects From Your Phone
In the past few weeks, the Indian smartphone and cybersecurity landscape has witnessed one of its most debated policy shifts. The Department of Telecommunications (DoT) issued directions under the Telecommunication Cybersecurity Amendment Rules 2025, mandating smartphone manufacturers to preload the Sanchar Saathi app on every new device sold in India. The move, aimed at curbing mobile fraud, verifying device authenticity, and enhancing national digital security, has also triggered a significant wave of privacy concerns.
According to a report by Reuters, the government not only instructed companies to preload the app but also ensured that the app should not be easily disabled, raising questions about user autonomy. For existing smartphones already in circulation, manufacturers have been asked to push the app through an OTA software update within 90 days. Interestingly, Apple has reportedly refused to comply, citing its strict app control ecosystem and privacy policies.
The government argues that the app empowers consumers and strengthens anti-fraud mechanisms. However, cybersecurity experts and digital rights organisations see it differently. The conversation around what data the app collects, how deeply it integrates with the device, and the extent of access granted has taken centre stage, especially for Android users.
A Mandatory App That Users May Not Control
One of the most vocal critics, the Internet Freedom Foundation (IFF), described the mandate as transforming every smartphone into a “vessel for state-mandated software” that users cannot easily refuse or uninstall. The concern stems from the expectation that for such an app to remain undeletable and functional, it may require system-level or root-level access, similar to OEM system apps.
This level of integration would allow the app to operate without user-driven permissions, creating an unprecedented gateway into sensitive phone information. According to IFF, bypassing standard Android sandbox protections may allow the app to “peer into data of other apps,” an intrusive possibility that worries privacy advocates.
Following public backlash, Union Minister for Communications Jyotiraditya Scindia clarified that consumers buying phones preloaded with Sanchar Saathi will have the option to delete it. This has provided partial relief, though the technical feasibility and consistency of such an option across different smartphone brands remain unclear.
What the Sanchar Saathi App Actually Does
Sanchar Saathi is not a new app; it was launched earlier this year as part of the government’s efforts to combat rising mobile-related crimes. The application offers several services:
CEIR (Central Equipment Identity Register):
Helps block stolen or lost phones using their IMEI numbers.
TAFCOP (Telecom Analytics for Fraud Management and Consumer Protection):
Allows users to check how many mobile connections are issued under their identity and report unauthorized SIM cards.
Fraud Call and SMS Reporting:
Enables citizens to report suspicious numbers and spam messages.
Device Verification:
Allows users to check if a phone is genuine or reported as stolen based on IMEI.
On paper, the utilities are beneficial and address genuine cyberthreats. The concern arises not from the purpose, but from the permissions the app seeks—especially if bundled as a system application.
Permissions the App Can Access on Android Phones
Users who downloaded the app manually on Android noticed that Sanchar Saathi requests a broad range of permissions. When an app becomes classified as a system app—preloaded by the manufacturer—it no longer requires explicit permission from the user to access sensitive data.
Some of the critical permissions reportedly requested by the app include:
1. Reading and Sending SMS
This allows the app to access OTPs, personal messages, and banking codes.
While required for verification functionalities, this poses a major sensitivity risk.
2. Accessing Call Logs
The app gains visibility into whom you called, when, how long the call lasted, and the frequency of communication.
3. Viewing Phone State and Identity
This includes the device’s phone number, IMEI, serial number, and hardware identifiers—information that is uniquely tied to the user.
4. Checking Active Calls
It can identify whether a call is in progress and see which number the phone is connected to at that moment.
5. Internet Access and Network Status
Necessary for connecting to central government servers, but also gives the app insight into how and when a user goes online.
6. External Storage Access
Allows reading or writing data to the phone’s storage.
7. Camera Access
Required to scan IMEI barcodes, but still sensitive since camera access can be misused without user awareness.
While apps like Truecaller also request similar permissions, the difference is crucial: they are user-installed apps that can be removed anytime. A system-level Sanchar Saathi cannot be uninstalled (unless the government ensures otherwise), meaning users may have little to no control over the data collected.
Why Privacy Experts Are Alarmed
Privacy advocates argue that when an app sits at the system level, it bypasses user consent mechanisms that Android typically enforces. This means:
• Continuous Access Without Prompting:
The app can read data silently in the background.
• Potential Cross-App Data Access:
Root-level permissions can bypass sandboxing, allowing visibility into other apps’ data.
• Centralised Data Storage Risk:
A single massive government database containing IMEIs, call logs, SMS metadata, and user identities becomes a high-value target for cybercriminals.
• Normalisation of Surveillance Infrastructure:
Mandating such apps sets a precedent that future apps could leverage.
While government officials maintain that data protection protocols are in place, the absence of a robust national privacy law intensifies public concern.
Balancing Security and Privacy: The Road Ahead
India faces genuine challenges in mobile fraud, cybercrime, and stolen device trafficking. The Sanchar Saathi app does address several of these issues effectively. However, the manner in which it is being implemented—especially through compulsory preloading—has sparked a nationwide debate on digital rights.
Questions now being asked include:
• Should essential government apps be optional rather than mandatory?
• Can transparency about data collection be improved?
• Should system-level access be restricted or audited independently?
• How will user deletion rights be enforced on diverse Android ecosystems?
As India’s digital economy grows, striking the right balance between national security, consumer protection, and personal privacy will determine the trust users place in their smartphones and the government.
Understanding the Stakes for Indian Smartphone Users
The Sanchar Saathi mandate marks a turning point in the country’s digital governance debates. While its intentions may be rooted in public benefit, the potential for misuse, overreach, or accidental exposure of sensitive data cannot be ignored. With billions of mobile connections and millions of devices sold annually, how this app is deployed and regulated may set the tone for future digital policies in India.
Click Here to subscribe to our newsletters and get the latest updates directly to your inbox