In a sweeping overhaul of India’s digital communications framework, the Union Government has issued a mandatory directive requiring all major messaging applications, including WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai and Josh to integrate SIM binding into their systems within the next 90 days. The move represents one of the most significant cybersecurity reforms introduced in recent years, with broad implications for user privacy, app functioning, national security, and India’s ability to curb cybercrimes launched from foreign soil.
The order, issued by the Department of Telecommunications (DoT), comes in compliance with directions from the Supreme Court, which has repeatedly underlined the urgent need for robust cybersecurity mechanisms across all communication platforms functioning in the country. The Centre maintains that the new rule is indispensable to shut down the loopholes exploited by fraudsters and scammers who misuse inactive, discarded or remotely operated mobile numbers to commit crimes.
At its core, SIM binding requires that a messaging app function only when the same SIM card used during registration is actively present in the user’s device. If that SIM is removed, switched or deactivated, the app must automatically stop working until the correct SIM is reinserted. With this, India becomes one of the first major nations to enforce real-time SIM authentication across all communication platforms.
How SIM binding will operate across all devices and apps
Under the new mandate, every supported messaging application must verify whether the original SIM card, used at the time of account registration, remains inserted in the device. If this SIM is removed, or even if the number is deactivated by telecom operators, the app must immediately block access. Services will resume only after the registered SIM is detected again. The rule applies uniformly across Android devices, iPhones and feature phones.
A significant change is the inclusion of web-based access in the mandate. For instance, WhatsApp Web, Telegram Desktop and all similar platforms will now be required to implement automatic logout every six hours. Users wishing to continue their session will have to re-authenticate themselves by scanning a QR code from the device containing the registered SIM card. The DoT has made it clear that long-running web sessions, especially those that can be accessed across borders, pose a major security risk and need strict regulation.
Messaging platforms have been given 120 days to file a compliance report with the government, detailing the technical modifications implemented and the mechanisms adopted to ensure adherence.
What the Government wants to fix?
The DoT has emphasised that the current system poses a significant threat to cybersecurity. Even when a user discards a SIM card or removes it from their device, messaging apps continue to operate uninterrupted because authentication is done only once during account creation. This loophole is widely exploited by cybercriminals, particularly those operating from outside India, who gain access to dormant accounts linked to Indian numbers and use them to carry out scams, digital arrest schemes, impersonation fraud, sextortion, PAN-update scams and a range of phishing attempts.
Since the SIM card is not physically present in the device used by criminals, tracing the origin of the crime becomes extremely challenging. The DoT believes real-time SIM monitoring is the only way to put an end to such anonymous and untraceable communication. The telecom industry too has supported the measure, emphasising that the persistent gap in app-based verification weakens national cybersecurity and exposes users to large-scale fraud.
Web access restrictions introduced
Beyond SIM binding, the government has also tightened rules for web-based access to messaging apps. Platforms such as WhatsApp Web and Telegram Desktop will be required to enforce periodic logouts to prevent prolonged authentication sessions. This is specifically aimed at criminal operators who access accounts from foreign locations without the knowledge of either telecom operators or the users themselves.
Officials believe these reforms are essential to bring communication apps on par with banking, UPI and financial platforms, which already employ stringent SIM-based authentication for every transaction.
What will change and what won’t
For most users who rely on a single device with an active SIM card, the impact will be minimal. Day-to-day messaging, calling and media-sharing will continue as usual. However, certain user behaviours will face noticeable restrictions. Individuals who frequently switch SIM cards, use secondary devices without a SIM, operate tablets for messaging, or rely heavily on web versions will experience disruptions. They may need to log in more often, authenticate themselves periodically, and undergo identity verification if the app detects the absence of the original SIM.
Dual-SIM users may also need to ensure that the number used for registration remains active and inserted in the primary slot of their device.
Government makes Sanchar Saathi App mandatory
In a parallel move, the DoT has asked smartphone manufacturers, including Apple, Samsung, Vivo, Oppo, Xiaomi and others, to pre-install the Sanchar Saathi app on every new smartphone sold in India. The app assists users in identifying fraudulent numbers, blocking lost or stolen devices, and reporting suspicious activity.
Manufacturers have been given 90 days to integrate the app at the system level. Crucially, the government has mandated that the app must not be deletable by users. For devices already in circulation, phone makers will roll out the app through software updates.
The SIM binding mandate will be fully implemented from February 2026. After that date, all communication applications whose authentication or service delivery is linked to an Indian mobile number must comply with the new rules. The Centre asserts that the measure is essential to protect citizens from the surge in online fraud, fake identities, deepfake impersonation, and scams conducted using Indian numbers from foreign soil.
Despite mixed opinions, the new directive marks a turning point in India’s digital regulation landscape. Over the next few months, messaging apps will begin overhauling their login systems, authentication processes, and web access features, gradually transitioning India’s communication ecosystem into a more secure but more tightly regulated regime.
The coming year will reveal how smoothly apps adapt and how effectively the reform curbs the epidemic of cyber fraud sweeping across the digital world.
Comments