App-based communication providers like WhatsApp and Telegram can only implement device-level binding at most, not true SIM binding, telecom specialist and former Qualcomm Vice President for Government Affairs (India & South Asia), Parag Kar, told MediaNama.
Kar’s comments come in the context of the recent SIM binding directive that the government issued to messaging apps like WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat, and Josh. To explain, the government instructed them to not allow users to access their services without a continuous SIM connection.
Notably, the app-based communication providers also have to make sure that they log users out of web-based connections no later than six hours. Apps also have to provide users a QR code-based method to log back in on their web-based services.
Kar noted that the way the Department of Telecommunications (DoT) has worded the SIM-binding directive requires apps to continuously verify the underlying identity of the SIM.
“For example, if you registered WhatsApp using a Jio SIM, the app would need to ensure that the same SIM — with the same identity parameters — remains active on the device at all times.
“To do this, the app would need access to SIM identifiers like IMSI (International Mobile Subscriber Identity) or ICCID (Integrated Circuit Card Identification Number). But iOS does not expose these identifiers at all, and modern Android versions restrict access for third-party apps,” Kar remarked.
“Without deep OS-level support from Apple or Google, continuous SIM validation is technically infeasible,” he added.
So what can app-based communication providers do?
Instead, Kar said that the closest an app can get today is device binding, similar to what banking or UPI (Unified Payments Interface) applications use.
“When you install a banking app on a dual-SIM phone, the app asks which SIM to register with and sends an OTP to that number. After onboarding, if you simply deactivate the registered SIM in settings but keep the SIM physically present, the banking app will often continue to work. This proves that the binding is to the device identity, not to the continuous SIM identity. SIM change is treated only as a security signal, not a binding anchor.”
He emphasised that modern iOS and Android architectures are intentionally designed to hide SIM identifiers from apps for privacy and security reasons. “The technically correct way to achieve continuous SIM assurance is through a network-operator-level protocol such as GSMA Mobile Connect, where the operator verifies the SIM upon request. This avoids weakening OS (operating system) security models while still achieving strong identity assurance,” Kar explained.
The challenges of ensuring OS level compliance with SIM binding:
Similar to what Kar said, Saikat Datta, Co-Founder of Deepstrat, previously told MediaNama that the directions lacked clarity on the kind of…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
