on X

The BharOS claim about being "secure" is BS. They are always going to lag
Android in terms of security updates. Google is not going to share
vulnerabilities in advance with an untrustworthy govt that issued fake SSL
certs for Google services and got booted from all browsers.

Quote

Replying to @flairvelocity @dhina17l and @iitmadras

LOL @ "bullet proof security". If they forked from AOSP, they'll always be
lagging Android in security updates. If they forked from LineageOS, they'll be
lagging both Android and LineageOS in security updates.

Remember when every news outlet blindly parroted this load of BS from

and IT Cell had bhakts circlejerking? Only thing "Atmanirbhar" about their
BharOS is the pure unadulterated bullshit in their press release.
thehindu.com/sci-tech/techn

Quote

BREAKING: India's indigenous BharOS Leak shows its a literally fork of

GrapheneOS BharOS source-code has been leaked as its GitHub repositories
has been made public It was indigenously developed by IIT Maras & it took
1yr to develop the system More info: t.me/techleakszone/

Now that it has been established beyond doubt that

hasn't built any OS of their own. Will

be updating this jingoist sarkari propaganda piece masquerading as

journalism to reflect reality? cc:

Wonder how much taxpayer money was funneled into this project both via

and via PSUs and government deptartments. buying this "secure" OS that
takes open source code and hides it?

Quote

UPDATE: BharOS Team deleted the GitHub account only "sadhasiva1984" on

github was the guy who bymistake made the BharOS GitHub repo public
Damn, we scared the shit out of him Here is the Forked BharOS Repo (git.it-
kuny.ch/BharOS/) since it was mirrored BEFORE he deleted it

Any organisation with such "stringent privacy and security requirements"

would have been better off using an MDM system to lock down their device
instead of blindly trusting this blackbox from a bunch of charlatans changing
text strings to create an OS. thehindu.com/news/national/

There are multiple repos which contain just a makefile and a binary apk. Not
sure if it's this person's personal work or if that's how #BharOS is actually
being built. Random binaries checked into a repo instead of CI/CD building
from source + stored as trusted artifacts. o_O

Since pretty much everything #BharOS boasts about can be achieved with an
MDM. This repo looked interesting, so I decided to look at the APK.

Quote
Replying to @kingslyj and @iitmadras

Any organisation with such "stringent privacy and security requirements"

would have been better off using an MDM system to lock down their device
instead of blindly trusting this blackbox from a bunch of charlatans changing
text strings to create an OS. thehindu.com/news/national/

They seem to have created an MDM called "Megam MDM". (Megam is cloud
in Tamil)

Turns out

has not just an "indigenous" #Atmanibhar OS. They've apparently also

created "indigenous" Google Firebase and Google App Engine!

Looks like they named the product without buying the associated domains.
So while they use in.megam.kiosk megam.in seems to have been owned by
someone in Kerala.

Looks like

' Megam MDM, the #BharOS MDM is neither open source nor indigenous.
These strings don't yield any results in Google or DDG. And localisation in
German/French/Spanish and MIUI support isn't exactly their priority.

Considering uch boasted features of #BharOS are from MDM and MDM is not
developed in-house but licensed/whitelabelled from somewhere. Who is
responsible for the security of the MDM? (If their MDM server is
compromised, all devices are compromised.)

Quote
Replying to @kingslyj

Looks like @iitmadras' Megam MDM, the #BharOS MDM is neither open
source nor indigenous. These strings don't yield any results in Google or
DDG. And localisation in German/French/Spanish and MIUI support isn't
exactly their priority.

So

Director V Kamakoti doesn't know the first thing about Linux distros or
security.(Ironically he is from their CSE department.) This is just so much
illogical bullshit from him in just this one paragraph.
moneycontrol.com/news/business/

Let's breakdown the BS and ignorance of

director V Kamakoti. "Any Android operating system is a fork of original Linux

distribution." 1. No such thing as a "original Linux distribution" Also Android
differs significantly from both past and current Linux distros,

"We have used some early versions of Linux." This is not a flex. Nobody in
their right mind bases any fresh long term project on "some early version of
Linux". They are forced to use it because Android still uses an older kernel
(which was current when Google started using it)

In fact Android has been working to move away from older kernel forks and
closer to mainline. And PostmarketOS is making a mobile linux distro that
works just like regular Linux distros.

"lot of customisation including security protocols, such as root of trust and

chain of trust modifications have been done to create BharOS." Despite "lot
of customisations" they chose to highlight the one change that is both trivial
and also most detrimental to privacy/security.

illegally issued SSL certificates for Google and Yahoo! (allowing traffic to their
sites to be MITM'd. (intercepted/decrypted)). As a result Indian CA certs were
removed from chain of trust in all browsers and OSes as they were
untrustworthy.

Quote

Replying to @kingslyj

This government has been actively trying to backdoor/MITM everybody. Back

in 2014, within a month of coming to power, Chowkidar sarkar MITM'd traffic
to Google and Yahoo and got @NICMeity 's Certificate Authority blacklisted
across browsers and OSes. security.googleblog.com/2014/07/mainta

So BharOS is actually reversing a change that was put in place to improve

user security and privacy but the ignorant Director of

thinks this is a good thing.

Quote

We have received reports about BharOS forks in git attributed to #Megam.

This fork has nothing to do with BharOS of our incubated company,
JandKOps. (1/2) @IITMPravartak @IndiaDST @iitmadras #jandkops

This is just one commit in the Camera app repo. git.it-

kuny.ch/BharOS/Camera/ "58 changed files with 211 additions and 2538
deletions" "bharos." occurs a whopping 196 times in the source code across
58 changed files.

Quote

Replying to @IITMPravartak

On investigation we found that one of the engineers in #Megam wanted to

try out a port of android and he used the name BharOS unintentionally. The
CEO of the #Megam has clarified that they rectified the mistake immediately
and have removed the fork. (2/2) @iitmadras @IndiaDST

This could be key. But may have to wait for a while to know for sure.
159365a9e6ca350496f238774e026e7650a4a37ef438a1f76f99e3ab055e9de3

More evidence for later. 95PTF

65215828c0bb410e1e1d980fe177a4dbb7560a648e931781c9cb98268d40fbf4

This may be one of the cleverest denials from any govt source so far. "This
fork has nothing to do with BharOS of our incubated company, JandKOps."
We wrongly assumed this was yet another standard blanket denial we are
used to. But this is wordplay.

Quote

We have received reports about BharOS forks in git attributed to #Megam.

This fork has nothing to do with BharOS of our incubated company,
JandKOps. (1/2) @IITMPravartak @IndiaDST @iitmadras #jandkops

Standard blanket denial would have read something like... "The fork has
nothing to do with BharOS." or "The fork has nothing to do with

or
" But they went with "BharOS of our incubated company JandKOps"

What we know so far... - The leak/fork is so real and obvious that they are
unable to deny it. - They have confirmed it has nothing to do with JandKOps. -
They have also confirmed that they are a client of Megam Solutions.

Quote

IITM responded to BharOS being GrapheneOS Fork Claims are false & BharOS
naming was unintentional IITM is a CLIENT of Megam & everyone knows what
is BharOS Still megam chose Graphene, forked it & named it BharOS even
BharOS was meant to be Open-sourced & 9 months have passed
twitter.com/IITMPravartak/…

So what was Megam Solutions engaged to create for

if it wasn't BharOS as they claim? We already know that "Megam MDM

Server" is part of it because it is hosted at mdm.pravartak.net

Quote

Replying to @kingslyj @iitmadras and @NICMeity

Incompetent idiots at @iitmadras cannot even lie convincingly. How did

mdm.pravartak.net end up in the "leaked" source code that doesn't belong to
BharOS at all? Also pravartak.net returns a 302 redirect to
pravartak.org.intwitter.com/IITMPravartak/

We also know that the corresponding MDM client side code was part of the
leaked repos.

Quote

Replying to @kingslyj
Looks like @iitmadras' Megam MDM, the #BharOS MDM is neither open
source nor indigenous. These strings don't yield any results in Google or
DDG. And localisation in German/French/Spanish and MIUI support isn't
exactly their priority.

So who was Megam creating this fork of

with custom closed source MDM of unknown origin for? Was it for Megam
themselves? No. Because "mdm.pravartak.net" And

are just glorified middlemen for various govt / govt-linked orgs.

Google's decision about security partners are unfortunately mainly based on

business concerns rather than security. Android's security team gave us
security partner access and their business side later revoked it. We can still
get early access via partners as their contractor.