India Mandates SIM Binding for WhatsApp, Telegram, and Other Messaging Apps
The Indian government has directed popular messaging platforms including WhatsApp, Telegram, and Signal to implement mandatory, continuous SIM card linking. Under new cybersecurity rules, users may also be logged out of web versions every six hours, requiring QR code reauthentication.
Key Changes for Users
- Messaging apps must ensure an active SIM card remains linked to the service
- Web app users will be logged out automatically every 6 hours
- Reauthentication via QR code scan will be required after each logout
- Platforms have 90 days to comply with the new regulations
The Department of Telecommunications (DoT) has classified these services as Telecommunication Identifier User Entities (TIUEs) under the Telecommunication Cybersecurity Amendment Rules, 2025. This marks the first time app-based communication services face telecom-style regulation in India.
Closing Security Loopholes
The government aims to address a significant security gap where apps currently verify mobile numbers only during initial installation. After this one-time check, applications continue functioning even if the SIM card is removed or deactivated.
“The binding process between a subscriber’s app-based communication services and their SIM card occurs only once during installation, after which the application continues to function independently,” explained the Cellular Operators Association of India (COAI).
This vulnerability enables cybercriminals, often operating from outside India, to continue using these apps after switching or deactivating SIMs. The new persistent SIM binding would “maintain critical traceability between the user, the number, and the device,” potentially reducing spam, fraud communications, and financial scams.
Existing Precedents and Expert Views
Similar security measures already operate in digital payments. Banking and UPI apps enforce strict SIM verification, while SEBI has proposed linking trading accounts to SIM cards with facial recognition for additional protection.
Cybersecurity experts remain divided on the effectiveness of SIM binding. Some specialists note scammers can bypass these measures using forged identification to obtain new SIM cards, offering “limited benefits.” Meanwhile, telecom industry representatives argue that mobile numbers represent India’s most reliable digital identifiers and believe the move will strengthen cybersecurity accountability.
The implementation challenge now falls to platforms like WhatsApp and Telegram, which must balance these new requirements with user experience and privacy considerations. For millions of Indians, this could mean reduced convenience on web browsers and potential lockouts if their SIM becomes inactive.
