Author’s Note: On October 23 2023, three days after this article was published, Megam Solutions Pvt Ltd issued a public announcement in the print edition of The Hindu, saying an engineer working on an open source repository made an unintentional mistake and mentioned the name ‘BharOS’. This change in the open source code has no connection whatsoever with BharOS used by JandK Operations Pvt Ltd, it said. Despite this development, questions raised within this article about the security claims and the indigenous nature of the BharOS project still stand.
In a development that has sparked outrage among India's free and open source software communities, it has come to light that India's much-hyped ‘indigenously developed’ mobile operating system, BharOS, could in fact be a simple clone of GrapheneOS – a popular privacy and security focused mobile operating system – with a few cosmetic changes. This discovery raises questions about the integrity and competency of the team behind BharOS, and the fervour for homegrown technological advancements as a matter of national identity and pride that risks overlooking the absence of evidence and independent verification by domain experts to support such claims.
Development of BharOS
In recent years, there has been growing rhetoric of making India an ‘Atmanirbhar’ (or self-reliant) nation. This rhetoric has pervaded many industries, as one might expect, but it has also lately found utterance in the realm of technology.
Last year, news about an indigenously developed mobile operating system called ‘BharOS’ made waves across free and open source software communities in India. The operating system was said to have been designed and developed by a company formed at the Indian Institute of Technology Madras (IIT-M), incubated by a non-profit research and development initiative of the institute known as IITM Pravatark, which receives funding from the Department of Science and Technology (DST) of the Government of India.
The project seemed ambitious from the start, and the team behind BharOS made several bold claims about the security and privacy features provided by their offering. Jandk Operations Pvt Ltd, which is the company behind BharOS, has been quiet since then for the most part. This changed in late September, however, when the source code for it was discovered. A user of the collaborative software development platform GitHub had accidentally published what seemed to be the source code for BharOS.
Members of the open source community in India were quick to notice that something was off with the published source code. Upon quick inspection of the history of changes committed to the project, it quickly became apparent that the software repository for BharOS, the ‘secure’ and ‘private’ indigenous mobile OS, was a mere cosmetic fork or a derivative of an existing open source privacy and security focused mobile operating system project – GrapheneOS.
There is nothing wrong with forking and building off an existing open source project to suit one’s own requirements. It is a considerable challenge to build and deploy any kind of technology in a silo. This becomes even more difficult when developing low-level software, such as a mobile operating system, which requires specialist knowledge about various niche subjects – such as system and network architecture, kernel programming, networking, security, and much more.
A cosmetic clone
BharOS, however, appears to be nothing more than a simple ‘find and replace’ job where strings originally referring to 'GrapheneOS' have been collectively replaced with 'BharOS' instead, raising questions about the intent, integrity, and competency of the team involved with its development. Claiming technology developed by open source contributors as part of what was painted as an ‘Atmanirbhar’ effort is disingenuous. It invisibilises the labour and intellectual property of open source contributors.
The BharOS project might also be in violation of the open source software licence with which GrapheneOS is shipped. While the GrapheneOS licence does permit use, modification, and redistribution of the source code, it also requires that the licence be further included in any modified distribution of the source code. The same software licence was, however, conveniently omitted from the BharOS repository.
The claims surrounding the security and privacy features of such a project should also be taken with a grain of salt. This is primarily because of a fundamental security flaw that is introduced when existing open-source software projects are forked. Vulnerabilities uncovered in the upstream (parent) source tree for a project become harder to patch in the downstream (child project) source tree, due to divergences in the code of the two projects.
This essentially means that any security updates released for GrapheneOS might not result in simultaneous security updates being released for BharOS, if at all.
These concerns highlight the importance of transparency, ethical conduct, and respect for the contributions of others in the realm of open source technology development and innovation.
Technological mysticism
Prof V Kamakoti, director of IIT-M and a long time proponent of BharOS, said while addressing a press conference earlier this year, that BharOS would “revolutionise the way users think about security and privacy on their mobile devices.” The Press Information Bureau, reporting from the same press conference, wrote that BharOS was already “being provided to organisations [with] stringent privacy and security requirements.”
Apart from his association with BharOS, Prof Kamakoti is also a member of the National Security Advisory Board. He is known for having previously put forth a controversial proposal at the behest of the Supreme Court of India wherein he had suggested techniques that could be employed by messaging platforms such as WhatsApp to allow law enforcement agencies to trace the ‘first originator’ of offending content sent on end-to-end encrypted messaging platforms.
The proposal received heavy criticism from digital rights activists and proponents of user privacy, who argued that the techniques put forth by Prof Kamakoti would compromise the core privacy offering of end-to-end-encrypted messaging apps, and that the implementation of mechanisms to enable traceability of messages might potentially serve as an inroad enabling future attempts by other countries to weaken end-to-end encryption and encroach on individual privacy.
It is important to ensure that claims surrounding the supposed security and privacy advantages of a particular technology are backed with evidence, which can be independently analysed and verified by experts. In this vein, it also becomes important to further highlight that technology cannot become ‘more secure’ simply because it was developed indigenously.
While a truly homegrown mobile OS might provide some security benefits by reducing the surface area for software supply chain attacks, it could also potentially introduce a host of other privacy and security problems that might not have been previously thought about. All of this is to say that technology is not magic, and that technological solutions to issues such as privacy and security should not be promoted because of mere claims, but only after such claims have been studied and verified.
Karan Saini is a security researcher and technologist from New Delhi.