The department of telecommunications’ SIM-binding mandate to prevent cyber fraud is likely to run into a technical hurdle making its rollout unfeasible. According to technical experts, the SIM-binding mandate is built on assumptions that current technology simply does not support.
The November 28 order issued by the DoT basically mandates apps such as WhatsApp, Telegram and Signal to stay continuously linked to the active SIM inside a user’s phone and ensures six-hour logouts for web and desktop versions to prevent cyber-fraud.
What do telecom experts say?
However, telecom and technology expert Parag Kar told Fe that the mandate in its present form is not workable on any mainstream mobile operating system. “Apple and Google do not permit apps to continuously access SIM identifiers, and that restriction exists by design for global security reasons,” Kar said.
“Even India’s banking apps do not do SIM binding because it is technically not feasible. The only correct method is for the mobile operator, not the app, to authenticate SIM identity through standards like GSMA Mobile Connect,” he said. According to Kar, trying to enforce SIM–app polling at the OS level would require Apple and Google to redesign their security architecture, something that’s unlikely to happen.
Kar explained that this is also why banking and UPI apps use device binding rather than SIM binding. When a banking app is first activated, it sends an SMS from the registered number and confirms that the message originated from that device. After this one-time check, continuous access to SIM identifiers is neither required nor attempted because iOS does not allow it and newer versions of Android restrict it for security and privacy reasons.
What does the app rely on then?
The app subsequently relies on a combination of device ID, encrypted keys and behavioural authentication instead of any ongoing SIM monitoring. Even if the handset is on Wi-Fi or in airplane mode, the app blocks transactions not because it can detect whose SIM is present but because it cannot establish a secure network trust state.
The Broadband India Forum (BIF) has gone a step further, calling the DoT directive a case of jurisdictional spill-over and regulatory overreach. The body, which is an association of technology players like Apple, Google, Meta, Amazon, and others, said that the new category of Telecommunication Identifier User Entity (TIUE), which emerged during the drafting of the Telecom Cyber Security Amendments, is now being used to extend telecom-style operational mandates onto over-the-top (OTT) digital services that fall squarely under the IT Act and the jurisdiction of the ministry of electronics and IT.
According to BIF, the directions have been issued without legislative basis, public consultation or assessment of consumer impact, and create policy uncertainty by blurring settled boundaries between the telecom and digital domains.
Beyond legality, BIF said the move would cause disproportionate disruption for genuine users. NRIs who depend on Wi-Fi to use their India numbers abroad, professionals whose workday relies on uninterrupted web-client access, households that separate voice and data SIMs across devices, and elderly users who struggle with repeated authentication could all face real inconvenience, while sophisticated fraud networks are unlikely to be meaningfully deterred.
TV Ramachandran, President of BIF, said the organisation remains aligned with the government’s cybersecurity objectives but strongly objects to the route chosen. “BIF stands ready to work constructively with the Government to strengthen India’s telecom cybersecurity architecture. However, the apprehension during earlier consultations that digital and OTT services may inadvertently be brought under telecom-style obligations now stands visibly manifest in the present directions,” Ramachandran said.
