A major political controversy broke out last week after the Centre directed smartphone manufacturers to pre-install the Sanchar Saathi app on new devices. The Opposition alleged that the move would enable the government to spy on citizens. Though the order has now been withdrawn, concerns about what the app actually does continue to dominate public debate.
To address these fears, Open-Source Intelligence (OSINT) team, in partnership with cybersecurity engineer Aseem Shrey, undertook a detailed forensic analysis of the app’s Android 10 version. Using decompilation—a standard technique used by developers and researchers—the team examined over 250 directories and 200+ files. Their findings were cross-verified by an independent cybersecurity professional and a Gurugram-based cybersecurity firm, both of whom requested anonymity.
The Verdict: No Evidence of Broad Snooping
Based on the current version of the app, investigators concluded that Sanchar Saathi does not appear to engage in mass or indiscriminate surveillance.
Much of the public fear stems from the permissions the app requests. While the iOS version seeks access to camera, files, and photos, the Android version — as with many apps — asks for more permissions. However, the permissions are not unusually invasive compared to common apps like Google, Instagram, or X, which require similar or even greater access.
Data Syncing Raises Questions, Says Expert
Despite the reassuring forensic findings, experts say transparency must remain a priority.
“Continuous background syncing and the possibility of future over-the-air updates mean transparency and safeguards are essential for user trust,” says Shrey, founder of ShipSec AI.
Fears vs. Forensic Findings
Concern 1: Government Can Access Call and SMS Logs
Finding:
After registration, the app accesses incoming, missed, and rejected calls from the past 29 days, but does not access outgoing call logs. This matches the app’s stated purpose of helping users report suspected scam or fraud calls.
The app uses an Application Programming Interface (API) to send data from the user’s phone to government servers. While call logs sit temporarily in a phone’s RAM, the API only transmits phone numbers reported by the user as fraud or scam.
Data syncs every 15 minutes, meaning the app interacts with the server 96 times a day.
Concern 2: App Collects IMEI Numbers to Track Users
Finding:
On devices running Android 10 or higher, apps cannot access IMEI information without a privileged Google-granted permission — READ_PRIVILEGED_PHONE_STATE — which Sanchar Saathi does not have.
Instead, the app uses MediaDrm, an in-built Android API recommended by Google to avoid IMEI tracking.
On older devices (Android 9), IMEI access is technically possible, but Shrey confirms:
“I didn’t find any API in the current version that accesses IMEI numbers.”
Concern 3: App Uploads Photos and Videos to Government Servers
Finding:
The investigation found no conclusive evidence of the app transferring photos or videos to government servers, although such functionality is technically possible.
Security Protocols Get High Marks
The analysis found that Sanchar Saathi employs strong security measures to protect data stored on devices and to safeguard data during transmission.
“The technical implementation shows genuine privacy-protective choices. The developers clearly thought about security,” Shrey said.
While the investigation found no indication of mass surveillance, cybersecurity experts stress that transparency, strong safeguards, and regular audits remain essential to maintain user trust.