Sanchar Saathi App
Contents
Sanchar Saathi App: A Critical Analysis
Overview and Purpose
Sanchar Saathi App is a citizen-centric digital safety initiative developed by India’s Department of Telecommunications (DoT). The app and corresponding portal are designed to empower telecom users against increasing threats of cyber fraud, mobile theft, and privacy misuse. Launched nationwide and recently in the news due to new government mandates, Sanchar Saathi enables users to:
Report fraud (calls, SMS, phishing) through the “Chakshu” module
Block or trace lost and stolen phones via integration with the CEIR (Central Equipment Identity Register)
Check and manage mobile numbers linked to their identity (prevents SIM misuse)
Verify whether a device is genuine using its IMEI
Report suspicious web links or international calls masked as Indian numbers
Access authentic bank and service contacts easily.
Its objectives are to curb telecom resource misuse, prevent cyber-enabled fraud, and foster user security in the digital landscape.
Recent News and Developments
In late November 2025, the DoT issued a directive making Sanchar Saathi pre-installation mandatory on all new smartphones sold in India. Additionally, manufacturers were asked to push the app via software updates to devices already in circulation. This attempt at universal rollout generated significant public debate and political controversy. Opposition parties, privacy advocates, and several parliamentarians raised concerns about privacy, surveillance, and user autonomy.
Key points in the news:
The government initially ordered Sanchar Saathi be non-removable and always visible on phones.
Intense criticism led to clarifications by Telecom Minister Jyotiraditya Scindia, who stated on December 2, 2025, that installing and using the app would be voluntary and fully optional; users can delete it if they wish.
The Ministry emphasized that Sanchar Saathi has already helped trace over 26 lakh (2.6 million) lost phones, blocked over 6 lakh (600,000) fraud-linked devices, and disconnected 40 lakh (4 million) fraudulent mobile connections, demonstrating a strong positive impact on telecom security.
How Sanchar Saathi Works
The app becomes accessible either pre-installed on new phones or through updates for existing devices. For those who opt to use it:
Easy Onboarding: Users can log in with their mobile number. Registration on Android is automatic; on iOS, it requires user confirmation.
Permissions: Requires access to manage calls, send SMS for registration, and read call/SMS logs for reporting features. These permissions are necessary for the core functionalities but have raised privacy questions if misused.
Reporting & Security Tools: Users can:
Report fraud directly from call/SMS logs (particularly useful for the less aware or vulnerable section of users)
Block lost/stolen phones using the device IMEI (linked to the national CEIR database)
Check how many connections exist in their name and take corrective action if unauthorized numbers are detected.
The Controversy and Privacy Debate
The Sanchar Saathi rollout triggered a major privacy and surveillance debate:
Several political leaders termed the app “Orwellian,” referring to fears of state surveillance and branding it “Pegasus++” (alluding to previous spyware scandals). They argued the app, when made mandatory and non-removable, infringes upon fundamental rights of privacy and autonomy.
Critics highlighted that deep system-level permissions could—if abused—enable mass data collection, profiling, or tracking of individuals.
Advocacy groups warned against potential “mission creep,” where an initially security-focused app could expand into broader personal data monitoring.
Technical Concerns: Pre-installation without user consent or ability to remove the app was perceived as a form of forced software, undermining trust in both government and manufacturers.
The government’s clarification—that use is optional and data is not accessed without consent—helped cool tensions but did not fully erase skepticism.
Critical Analysis: Merits and Limitations
Strengths
Robust Cybersecurity: Sanchar Saathi addresses key vulnerabilities in India’s telecom ecosystem—SIM fraud, device theft, scam calls, and digital impersonation—by placing security tools in the hands of users.
Transparency and Empowerment: By letting users see all SIMs linked to their ID, the app increases awareness and helps prevent misuse of telecom resources.
Significant Impact: The tracing and recovery of millions of lost or stolen phones, disconnection of fraudulent numbers, and widespread adoption (20 crore users on portal, 1.4 crore app downloads) demonstrate tangible benefits in the fight against cybercrime.
User Autonomy (Post-Clarification): Allowing users to delete or deactivate the app upholds digital rights and mitigates fears surrounding state surveillance.
Limitations and Risks
Privacy Intrusions: Pre-installed system apps with deep permissions are a vector for possible surveillance or data misuse, especially if safeguards are weak or policies change.
Consent and Trust: The initial communication that deployment would be mandatory and irrevocable dented user trust, highlighting the need for transparent government-citizen engagement on digital rights and data protection.
Technical and Operational Challenges: Disparate Android/iOS processes for registration may confuse users; effective public communication and user education are necessary to maximize the platform’s potential.
Regulatory Oversight: Independent safeguards, audits, and strict policies are essential to prevent inadvertent or deliberate mission creep, ensure only intended purposes, and balance security interests with fundamental rights.
Sanchar Saathi: A Malware Attack Scenario and Critical Security Implications
The Risk Scenario: What If Sanchar Saathi Were Compromised?
The question of whether Sanchar Saathi could be attacked by malware from an enemy nation raises profound concerns about critical infrastructure vulnerability, national security implications, and mass data exposure. This scenario is not merely hypothetical—it highlights real architectural weaknesses in deploying a single, mandatory, non-removable government app across 735+ million smartphones.
Vulnerability Vectors: How an Attack Could Occur
System-Level Access and Permission Exploitation
Sanchar Saathi, when designed as a mandatory pre-installed app, requires system-level or root-level access similar to carrier or OEM system apps to ensure it cannot be disabled or removed by users. Technical analysis of the app’s Android APK file revealed that it requests permissions classified as “dangerous”—capabilities to:
Access camera and record videos
Read call logs and SMS data
Access external storage (memory cards and internal storage)
Determine phone numbers, serial numbers, and active call details
An adversary who compromises the app’s code or infrastructure could weaponize these permissions to conduct mass surveillance, exfiltrate personal data, or inject secondary malware payloads.
Supply Chain Attack Possibilities
The government’s directive requires manufacturers to push Sanchar Saathi via software updates to 735+ million existing devices. This creates a massive attack surface:
Compromised update servers could distribute malicious versions of the app
Attackers could intercept or modify the APK during transmission
Manufacturers’ development environments themselves could be targeted (a precedent exists: government security app vulnerabilities have been documented before)
Historical examples demonstrate that government apps are not immune to exploitation. In March 2024, CERT-In flagged critical vulnerabilities in government cybersecurity apps (USB Pratirodh and AppSamvid) designed by India’s C-DAC, which used weak cryptographic algorithms and could allow attackers to take control of systems. This precedent is alarming when considering Sanchar Saathi’s vastly larger scope.
Nation-State Targeting Capabilities
If a sophisticated state actor or coordinated cybercriminal group were to target Sanchar Saathi’s infrastructure or supply chain:
They could distribute a malicious version to all pre-installed devices, affecting 1.2+ billion users simultaneously
The app’s system-level privileges would allow unprecedented access to personal data across India’s telecom ecosystem
Users would have no ability to uninstall or escape the compromised app, given its mandatory, non-removable status
Cascading Impact: National-Level Consequences
Mass Surveillance and Privacy Breach
A compromised Sanchar Saathi could enable:
Real-time location tracking via device sensors and cellular data
Wholesale interception of calls and SMS before encryption occurs
Collection of contact lists, browsing history, and financial information
Identification of political dissidents, activists, and opposition figures through communication patterns
Weaponization of personal data for extortion, blackmail, or selective targeting
This would represent the largest single point of failure in India’s digital infrastructure, affecting citizens regardless of their technical literacy or security awareness.
Telecom Infrastructure Compromise
Since Sanchar Saathi integrates with the Central Equipment Identity Register (CEIR) and national telecom databases, a compromised app could:
Enable attackers to disable or blacklist legitimate phones en masse
Manipulate IMEI records, causing network chaos
Disrupt emergency services by interfering with SOS systems
Create “digital blackouts” for vast populations
This transforms a cybersecurity app into a weapon for infrastructure disruption, with implications comparable to attacks on power grids or water systems.
Financial Fraud and Economic Disruption
The app accesses users’ financial institutions’ trusted contact details and transaction-related communications. A compromised version could:
Facilitate mass banking fraud by intercepting OTPs and credentials
Enable unauthorized fund transfers across millions of accounts
Create cascading financial system instability
Erosion of Public Trust and Democratic Institutions
An attack revealing that government controls mandatory surveillance infrastructure would:
Undermine trust in state institutions and digital services
Discourage legitimate app usage and voluntary compliance with government initiatives
Fuel conspiracy theories and social polarization
Strengthen authoritarian narratives about government overreach
Existing Vulnerabilities in India’s Cybersecurity Posture
India faces an alarming trend of cyber threats:
126% year-over-year surge in ransomware attacks in Q1 2025, placing India among the top five targeted nations globally
India ranks as the second-most targeted nation for cybercrime attacks in 2024, after only the United States
6,000+ cyber-attack attempts were made against ICMR servers in a single year, with central agencies aware of the threat but insufficient preventive action taken
Critical infrastructure systems lack adequate segmentation, rely on outdated software, and face supply chain vulnerabilities across sectors
Government apps themselves have demonstrated security gaps. These facts underscore that an attack on Sanchar Saathi is not speculative—it exploits proven weaknesses.
Architectural Design Flaws Enabling Attack Success
Lack of Decentralization
Unlike decentralized security models, Sanchar Saathi is a centralized, monolithic app with all permissions, infrastructure, and user data flowing through government-controlled servers. A single compromise cascades to all users simultaneously.
No User Override or Killswitch
Because users cannot delete, disable, or sidestep the app, there is no individual opt-out mechanism if a breach is detected. Mass uninstallation would be impossible, leaving compromised systems active.
Inadequate Transparency
The initial rollout was conducted privately and non-transparently, without public security audits or independent verification of the app’s code or infrastructure before deployment to hundreds of millions of devices.
Critical Analysis: Why Mandatory Pre-Installation Amplifies Risk
| Aspect | Risk Factor | Implication |
|---|---|---|
| User Consent | Removed entirely by mandate | No accountability to users; users cannot refuse compromised system |
| System Privileges | Root/system-level access required | Compromised app can access all device functions and data |
| Scale | 735+ million devices | Single attack affects entire nation’s digital identity; unprecedented attack surface |
| Removal | Non-disableable | No emergency mitigation available to users or authorities |
| Update Mechanism | Mandatory via software updates | Supply chain becomes vector for mass malware distribution |
| Centralization | Single point of failure | Compromise of app infrastructure = compromise of national telecom security |
| Regulatory Oversight | Minimal external auditing | Limited independent verification of security posture |
Conclusion
Sanchar Saathi is a bold step towards protecting Indian citizens from rampant telecom fraud and enhancing mobile security. Its real-world impact is proven by millions of tracked phones and blocked fraud connections. However, the controversy over its (temporarily) mandatory deployment reveals lingering challenges around privacy, digital consent, and the importance of clear government-citizen communication.
For sustained success and trust:
The government should cement user autonomy, transparency, and robust data-protection regulations in all future digital-security initiatives.
Ongoing public oversight and open feedback mechanisms will ensure that the line between security and surveillance is never blurred.
Sanchar Saathi’s evolution—voluntary, rights-respecting, and effective—could serve as a model for balancing digital innovation with democratic freedoms in India’s digital future
Discover more from Simplified UPSC
Subscribe to get the latest posts sent to your email.
