October 30, 2023
BENGALURU – BharOS, touted as India’s home-grown answer to Google-owned Android and Apple’s iOS, is now believed to be a clone of popular Android-compatible operating system GrapheneOS, say digital security experts in India.
The government-sponsored team behind BharOS has denied any similarity between the two operating systems.
But without any evidence given by the team for its assertion, questions from the open source software community refuse to die down.
The Indian government launched BharOS in January and celebrated it as an indigenous, secure, privacy-focused operating system.
The name evokes the Hindi word for “trust”, and the system was supposedly developed by JandK Operations, a company incubated at Pravartak Technologies Foundation, the technology innovation hub of the elite Indian Institute of Technology in Madras.
Pravartak receives funding from the Indian government’s Department of Science and Technology.
Although there were always doubts about whether BharOS could compete with Android, India’s efforts to develop its own local tech ecosystem were lauded by the media and software developers as a legitimate way to challenge the Google-Apple big tech duopoly, and fuel the economy.
The Indian government also claimed that BharOS is made for those who have stringent privacy and security requirements.
In a March article in Mint, an Indian newspaper, Indian Institute of Technology (IIT) Madras’ director V. Kamakoti said BharOS uses an “Android-type” interface but the underlying work by JandK Operations includes security operations, verification methods and other things, all of which are “not there in conventional Android forks”.
In software engineering, to “fork” is to propose changes to an existing software project or use someone else’s project as a starting point for an individual idea.
However, doubts began to emerge in September about BharOS’ originality and claims of security, after a user with some links to Pravartak accidentally published on collaborative software development platform GitHub what seemed to be the source code repository for BharOS.
Some in India’s open source software community said the code looked to have been entirely copied from GrapheneOS, with only cosmetic changes. GrapheneOS is an open operating system developed by American Daniel Micay, and used in some Google Pixel smartphones.
The allegation was first made on Sept 28 by @TechLeaksZone, the X – formerly known as Twitter – account of a Telegram channel that shares smartphone news.
It said: “Things forked from GrapheneOS to indigenously develop BharOS include Settings App, Camera App, Frameworks Base, Platform, Manifest, Setup Wizard, Updater etc. In short, everything has been forked.”
It is common, acceptable and legal to fork free and open software (like Android and GrapheneOS), said Mr Karan Saini, a network and application security researcher based in New Delhi.
But he added: “If BharOS indeed does fork GrapheneOS or Android Open Source Project, how can it be considered and promoted as being indigenous?”
Pravartak has declined any association between the GrapheneOS fork and BharOS.
In a Sept 30 tweet, Pravartak identified the code published on GitHub as originating from a Chennai-based software firm called Megam Solutions.
“This fork has nothing to do with BharOS of our incubated company, JandK Ops. On investigation, we found that one of the engineers in Megam wanted to try out a port of Android and he used the name BharOS unintentionally,” the company’s tweet said.
The user who shared the code seems to be Mr Sadhasivasubramanian H, founder and chief technical officer of Megam Solutions, whose website shows Pravartak as one of its clients, and which offered at least one six-month training course on mobile networks at IIT Madras in 2022.
Megam Solutions also issued a public statement on Oct 23, saying it “deeply regrets an unintentional mistake committed by one of our engineers while working in the open source public repository and mentioned the name BharOS… This change in the open source code has no connection whatsoever with BharOS used by M/s J&K Ops Pvt Ltd”.
An IIT Madras spokesman declined to answer The Straits Times’ queries on whether Megam had any role in developing BharOS, how Megam, JandK and Pravartak are linked, or how the user got the source code.
“GrapheneOS has not communicated with IIT Madras or any persons involved with BharOS or SenaOS. Before we heard of the code leak, we were not aware that they may be using GrapheneOS and have been unable to confirm that this is certainly the case,” Mr Carlos Anso, a member of GrapheneOS Foundation, told The Straits Times.
Security experts said that any doubts around the indigeneity and security of a project funded by Indian taxpayers could be settled with greater transparency around who was involved in building the operating system, and what exactly made BharOS indigenous and more secure than other systems.
“The source code (of BharOS) has not yet been made public despite press conferences mentioning it as an open source project,” said Mr Saini.
Mr Srinivas Kodali, a Hyderabad-based researcher on privacy and security, said the opaqueness around the technology was unfortunate and unacceptable.
“When someone claims to have the most secure app out there, it needs to be backed by some audits by other cyber-security firms. Right now, what we have are a lot of claims but none has been verified,” he said.
While a code need not be open source all the time, organisations do reveal the code to verify claims.
But India’s “security through obscurity, where we think keeping things secure requires us not to be transparent about them”, is not how privacy technologies are created, Mr Kodali said.