Shared publicly  - 
 
Sometimes I read an article about open source that drives me nuts. A recent one stated, without irony, that 'critics have been pounding the table for years about open source being inherently insecure' and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market.

Let me speak to the first one: Open source, which as you know is present in a major way in all three major mobile phone operating systems (android, ios, rim) is software, and software can be insecure. I would posit that popular open source software only gets to become that popular if they pay close attention to security and respond to users concerns about the same, otherwise other projects come to the fore.

For example, in the dusty spans of time, both sendmail and apache went through a year or multiyear period when after they hit 95% and 70% marketshare where the security flaws started becoming a problem on the growing internet.

Sendmail saw multiple oss and proprietary competitors (qmail comes to mind) and over a period of years educated enough sysadmins on how to wrestle sendmail.cf appropriately and fixed problems with the system to stem the loss of marketshare to other vendors and projects.

Similarly, Apache saw people rejecting many of the modules that were perceived to be (And often were) problematic. Some modules didn't come back, some came back stronger or with stronger default options.

So in the spirit of making a positive post here are some facts for future writers of articles about open source, mobile os' and security. A Cheat sheet, if you will:

IOS and Android both use webkit derived browsers, Webkit is coded by android, chromuim and apple developers, and (edited: to fix a sentence here) both use code from the original khtml projects out of KDE.

Both use , at their core, open source kernels (ios uses a bsd derivative, android, a linux one).

Every single CE device uses tons of libraries from open source, especially openssl.

Every single CE device owes a huge technical thank you to GCC. most are built using gcc.

All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.

No major cell phone has a 'virus' problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels.

No Linux desktop has a real virus problem.

Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.

Yes, a virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn't independence day, a virus that might work on one device won't magically spread to the other. (and yes, I saw the deleted scene http://www.cracked.com/article_18720_7-famous-movie-flaws-that-were-explained-in-deleted-scenes.html )

If you read an analyst report about 'viruses' infecting ios, android or rim, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.

If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.

Please note: Policy engines, and those tools that manage devices from an corporate IT department are not the same thing at all, but sometimes marketers in companies that sell such things sometimes tack on 'virus' protection. That part is a lie, tell your vendor to cut it out.

So there you go. I'm sure people will now chime in about some worm or malware they downloaded from some app market or something, which will be moderately fun, then it will devolve into a discussion about something unrelated, then I'll cancel comments. :-)
798
807
Derek Ross's profile photoMichael Vaughan's profile photoTad Sherrill's profile photoJay Deiman's profile photo
108 comments
 
Will you delete a comment that says to re-read the 7th and 8th graph and fill in the missing words? :)
 
oh chris... where do you read such stuff?
do your heart a favour and stop it... xD
 
The simple way I would break it down +Chris DiBona If it's digital, or mechanic..It can and probably will be hacked or reprogrammed. It's a simple fact of life. But's it's also great to see that such a person is still quite esteemed in the nitty gritty when it needs to be lain down.
 
The difference is that with open-source, if a threat is exposed, the developers work to fix it. In closed-source, the developers work to fix it, too... but the company has a vested interest in downplaying and/or denying the problem exists. "If no one knows about this yet, just sit on it until we can hide the fix in some big patch set. That way, we preserve our image!"

That conflict between marketing / management is missing in open source works.

As for apache and other systems, boxes are as secure as the admins make them. Slapping the install disc in and leaving things at default settings seldom leaves you with a secure box. In any OS.
 
+Chris DiBona "Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself. "

Well said. I preach the same for some time now.
I also agree with the rest of the posting. Open Source Software is the best thing for security that can ever happen. A security by obscurity never worked, and never will be.
 
IMO, virus writers focus on market share. Android is getting market share, hence Android will be a target. If it becomes a problem, remains to be seen. Currently, most of the "infections" are malware/spyware installed by careless users. It remains to be seen if the virus writers can crack Android, but nothing is impossible. Hopefully we are still a long way from infection by browsing, f.x.
 
when you can't sell your product due to consumer need or quality, then you attack the market with FUD and ram it in to garner a few more sales.

it works for a short term, but guarantees a rather rotted reputation and sour eulogy for your company/product in the long run
 
This bothered me at Blackhat this year. There was a lot of discussion about the supposed vulnerability cost of open source. The real problem is not with open source code but with bloated code. More surface area means more of a chance to find a vulnerability. +Chris DiBona +Linux
 
FUD? I thought Microsoft patented that during the build-up to the Win 95 release. See also: OS/2 came out with their 32-bit OS/2 Warp about 6 months before Win95. And it didn't crash. But it got no love.
 
Thanks for fighting the FUD.

> in all three major mobile phone operating systems (android, ios, rim)

If you are looking at a global scale you can add Symbian, which relies on Qt and WebKit.
 
oh noes. +Anthony Lineberry of LookOut Mobile security might take offense to the comment of "Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself. "
 
So is Lookout pointless to have on your phone?
 
+Chris DiBona Plus, Lookout has lost/stolen phone tracking and remote kill. Nice features.
 
Articles usually seem to be driven by an agenda or dollars. Good blog, but you are fighting a winless battle. I love the fighting spirit.
 
"Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself."

You had me up until this point. There's nothing wrong with performing signature based malware scans (I don't know why we're still calling it anti-virus). You shouldn't think of it as anything other than a reactive security measure, but they still have their place. No matter how many walls you build, there will always be a way to get around those walls. Having a tool to do some automated cleanup is useful, especially for your average consumer.

The existence of malware scanners for Android is not an indication that Android is insecure; I would argue the opposite. The fact that we can load and run security tools on our phones is a plus for Android.
 
+Jeremy Clark There's nothing wrong with it except that it's almost entirely unnecessary. OTOH, if people are sideloading apps, using something that does simple signature checking is better than nothing.
 
Totally agree - Microsoft Windows is the only OS that people are forced to pay for from Windows 95 to Windows 98 to Windows XP to Windows Me to Windows Vista and all of these mainstream consumer OSes came without Virus protection and Consumers were still forced to buy these OS and install McAfee/Symantec/Norton Anti-Virus because of Microsoft Office being a good quality professional document creation system.

When Linux gets from LibreOffice or OpenOffice to Pro Level - then there would be a definite shift, consumers are already tired of paying double for MS Products on every OS release.

In the mobile arena - this is the primary reason apart from buggy Microsoft products - that consumers have moved away from Windows CE or Windows Mobile or Windows Phone since document viewing is great on open source or Apple IOS or Google Android products.

Why Android lost to Apple IOS was because of:
1. Initial versions of Android were buggy.

2. Android didn't have well defined policies to security-validate and quality check Apps being uploaded into Android Market. Granted social policy would govern usage and download and rating of an App - but spurious Apps need only 1 chance tobe installed on a naive customer mobile device - and that causes more cost.

3. Android products are confusing - some only support Android version 2.1, some 2.3, some 2.7, some version 3 and many Android phones have custom non-modifiable-unless-rooted layer which makes it hard for customers to make an easy choice.

4. Older Android phones were made from cheaper hardware which turned away customers - that's changing now.

5. Android mobile device cameras are typically worse than iPhone cameras for the same price points.
 
Strange, my comment disappeared, and it was not off topcic :-(.
Rob Shinn
+
9
10
9
 
+Charles Vaz Android lost? With 52% market share compared to Apple's 15%? You've gotta be kidding.
 
I was referring to results before last quarter.. Android is catching up.. in fact i love Android 2.3 on the Coby Kyros 7022 capacitive screen tablet - its fast, snappy, lightweight and at $159 from toysrus - consumers get a quality tablet with so many apps for a very good price, so Android is definitely more mature now and its definitely removed Blackberry from the equation.
 
+Richard Lee, there have been multiple occasions where Google has pulled apps from the market because of potential malware as well as copyright infringement. So while Google doesn't go through every single app and approve it for the market, they do pay attention when people rate low and flag things as abusive.
 
Well stated. One thing you didn't point out, however, is that security researchers love working with Open Source software because it's an open book. If you want to try some particular attack, you can use static analysis tools to find vulnerabilities in the source itself.

The researchers notify Open Source developers of these vulnerabilities, and we put out public notification for our users to upgrade or patch ASAP.

The ecosystem is optimized to discover, expose, fix, and publicize security problems as much as possible. End users hear about more security problems in Open Source software than in other packages; that's a Good Thing.
 
I'm glad you didn't post the link to the FUD article, but it would be interesting to know who wrote it and who (directly or indirectly) funded it. Cui bono? as they say.
 
+Richard Lee The "potential to sell trojans?" Well, you better pack up and go home, since every venue could sell a trojan (I find that trojan writers are more than happy to give them to you for free--LOL), including not just Apple's iOs App Store, but their Mac App Store as well. Your corner computer store could conceivably sell some malware, and almost every Windows box comes with software that could be considered malware preinstalled! Apple's curation isn't a guarantee for malware free software, and the belief that it might be is symptomatic of our current culture which would prefer to depend on a parental-type other to protect them rather than community members protecting each other.
 
+Jeremy Clark Except the only way to scan other apps on, say, Android, is to break out of the sandbox. At that point your "AV/malware scanner" itself is a malicious app.
 
Any critics claiming that open source is inherently insecure would have to be idiots if they actually existed. One of the basic principles of the cryptography literature is that no undisclosed crypto algorithm can be secure because it cannot be subjected to peer review. All the crypto algorithms used for online banking and shopping are published in Schneier. In desktop OSes, we have seen a tight consistent correlation between closed source and malware vulnerability. What's different about mobile OSes such that they would violate both basic principles and decades of empirical observation?
 
Yep +Will Ware agreed.

The problem with most open source systems is that - its not designed for the masses - you need a bit of technical tinkering to get it to work in a simple manner like you need, and that "ease of use" is what closed-source systems charge users for.

Its as simple as saying 90% customers want a system that works in simple ways without much tinkering.

As you pointed out the advantage of closed source is not security and malicious bugs creep in - due to the rush of these closed source vendors to deliver new products.

But Apple turned the open source system into gold by demonstrating that a quality tested and wrapped open source product that is made simple enough will sell like hot cakes.

And google is bound to succeed using the same strategy pattern, as long as they match iOS quality at cheaper prices - I'm sure there will be a lot more Android tablets and laptops.
 
Now, how do we deal with things like government agencies with CTO's that require virus protection on all devices? I've heard the argument from people that Linux and phones might store virus that will infect windows machines (e.g. if a virus attachment was forwarded by a user), so therefore all computers and mobile devices must have virus software on them. From what I've seen, the commercial virus scanners on Mac OSX are often the source of problems I have to troubleshoot for people.
 
+Charles Vaz <snark>Open? Aren't we using Apple as the shining example of closed?</snark> Absolutely the mass market wants "dead stupid simple" for consumer mobile devices, and absolutely iOS has had that in spades. (Indeed, that is Apple's strongest suit in everything. It is the click wheel that allowed iPod to become dominant. Nobody does "dead stupid simple" quite like Apple.) I'd go farther and say that closer to 99% of people don't want to need to "tinker" with a device to get it to work properly, regardless of the category of device. But "dead stupid simple" CAN be done in FOSS; that some FOSS hasn't in the past been strong in the "ease of use" category isn't a reflection of it not being possible in FOSS but a product of the fact that, at least up until now, much of FOSS tends to be developed both for and by maker/hacker/tinkerer/hobbyist-type people.

+Kurt Schwehr I wish there was an easy answer there, but ISTM that, especially with government agencies, those attitudes and policies are usually the result of policy being made by people who don't really understand how the technology in question works. I think the inherent security of FOSS is a little counter-intuitive; it SEEMS LIKE secrets are safer than things that are out in the open until one understands how things actually work. I like to believe education is the key, but many of the very people in question don't or won't become more knowledgeable in this area. (Like you, my experience has been that commercial malware scanners for OSX are a source of problems way out of proportion to the risk of malware on the Mac, and I never recommend that the family/friends who depend on me for tech support use them, while I DO recommend they use some protection on Windows.)
 
+Pjay Pender - Yeah, agree with FOSS in theory and Ubuntu proved it in practice. Problem with FOSS is that someone needs to provide the funds for the time and the server space to implement, host, test and maintain the FOSS system.

I agree FOSS systems are a good check on the closed source systems - but getting a FOSS system to the corporate environment is the challenge - with Windows keeping on charging an arm and a leg for every version - FOSS systems may just get that push into mainstream.

Also, we're yet to see FOSS systems in mainstream tablets for example.

And not to be sounding very critical - historically FOSS systems eventually become kernels for very successful closed source systems.
 
Heh. +Will Ware Exactly. Mobile OSes are not really inherently different from desktop OSes when it comes to security. In the world of IT security, a device is pretty much a device and securing it relies on following some basic principles. But I suspect I don't need to tell you that. :)
 
+Chris DiBona I think you may have deleted +Georg Grabler by accident and not the check this out thing. It is still there...
 
+Charles Vaz Uh huh. Open doesn't necessarily have to be without charge. You can sell Linux if you want, or support, like Canonical does with Ubuntu. And you don't have to close the code to sell it either. I do think that to achieve "dead stupid simple" it is probably necessary to charge money, but that doesn't necessarily mean closing the code. And I really don't see why getting FOSS to the enterprise still open is an insurmountable challenge--a pretty good chunk of the web runs on Apache so enterprise grade isn't a problem in FOSS.

And aren't Android tablets mainstream? If not, what besides iOS is?
 
Android doesn't have a virus problem, but what about trojans and other malware? Users generally, in my experience, don't read permission requests so I guess that is a valid service an "antivirus" app can provide. Also, lots of apps don't technically break any Android Market rules but still might do things the user don't want behind their back, like the offical facebook app that copies your contacts to their servers without asking if you choose to sync your facebook contacts to your phone, and that is even built-in to the Nexus One and can't be uninstalled. ;)

There's also the issue with vendors not releasing updates for known vulnerabilities in Android.
 
+Johan Appelgren But Chris's original post was in re: open source in general being regarded as less secure than closed source. Nothing is perfectly secure, but FOSS is certainly at least as secure as closed code and is often, if not always, more secure. That users can be tricked, even easily tricked, into ignoring permission requests on Android means that those users are less secure. But properly managed Android is as secure as any properly managed handheld OS, if not more so.
 
OK so what classifies as a traditional virus on a phone? There have been apps that steal user info, send texts to rack up your bill, etc that have been caught by the teams of Lookout and such. I thought these would be considered traditional viruses. I guess not. Lookout has flagged an app for me once, and it later turned out that in fact the app would have "read my sensitive data" and probably could have stolen my info. I think Chris needs to do some more research.
 
After some thinking, and a suggestion from someone else, the article is correct. The word "virus" is the wrong word to use. Lookout, and such should instead change it from Anti-Virus to Anti-Malware protection. That would solve that.
 
+Pjay Pender Since users don't read permission requests or understand when an app does something wrong I guess Android can be considered less secure, doesn't matter if it is open source or not. Relying on users or developers doing the right thing doesn't really work.
 
If you think OSS is in anyway inherently insecure, do a search for "nsa open source security". If the NSA's (the secretive National Security Agency-USA) activity with and support for OSS projects is any indication, OSS software does not have any inherent security problems.
 
Closed source is inherently less secure. If you're selling software on a for-profit model, then you have a vested interest in denying the problem and not wasting any more money on fixing it. Think of all the well known security holes in Windows, that take anywhere from weeks to years to be patched. Now think of all the ones they know about but aren't telling us about. Microsoft and Apple have a vested interest in looking like they're doing something for security. Nobody notices an absence of security flaws, everyone notices a security patch.
 
Thanks for this article, Chris. You put in writing what I say every day to people. Bravo.
 
Small gripe. iOS does not use a kernel that is a BSD derivative. It's XNU, which is technically NeXT based, but with a few minor 4.3BSD components.
 
+Michael Vaughan I guess this is why SE, HTC and friends don't release security fixes (unless the vuln is really high profile) and instead their support suggest that you buy a newer model if you ask them about it. ;)
 
i have nexus s and i always run lookout and task killer app on it but at the end i discovered that both are really useless for me , thanx for the article
 
+Bobby Phoenix Well, "virus" is a pretty specific term, even though the mainstream media and general public tend to call all malware viruses. A virus on a computer system, like a virus in a biological system, is self replicating and spreads from one system to another. Melissa and I Love You were (are?--anyone seen these lately?) viruses. What we are seeing on Android and iOS are not usually really viruses, and furthermore, not all "bad stuff" is technically even "malware."
 
+Johan Appelgren Relying on users to read and be educated may not work these days, but it's a reasonable expectation. If you don't read the permissions before installing an app to Android, you are as big a part of the problem as the malware's author. That doesn't mean that an app with lots of permission requests is malware, it means asking yourself, and the software's author if you need to, why this app need this or that permission. An app whose free price tag is the result of serving ads to the user NEEDS internet access, so if I want the app, I need to grant the request. I could get a paid app that doesn't rely on advertising, and that app may not need web access. Many apps need to know if you're in a call or not--asking for permission to read phone state is reasonable for those apps. OTOH, wallpaper (unless it has ads or active content) DOESN'T need web access, and I am reasonable in asking why the dev decided to ask for it.

It's about freedom. Android is more secure than iOS because I DECIDE for myself (and you for yourself, and so on) how much benefit I ask for in exchange for how much risk I am asked to take. If I choose not to read the permission requests, or ask myself or the developer why an app needs this or that permission, I have decided that my price for high risk is very low. My phone will have lots of apps that do lots of things, but I will also probably have malware and other security problems. If I deny any app that asks for any permissions at all, I'll have a phone that is VERY secure, but which doesn't do much either. With iOS, Apple makes that decision, and their decisions may or may not match what I'd choose for myself. If Apple's walled garden makes one feel more secure, that's an illusion.

So, I disagree. Users not reading or not understanding permission requests doesn't make ANDROID less secure. It will make those users less secure, but this isn't a reflection on Android's security, nor of FOSS security, but a strictly PEBKAC problem. You can't fix stupid.
 
+Mario Catalano I think that allowing developers to do what they choose as long as they're open about it is part of freedom. If you don't agree to the permissions the dev requests, he doesn't sell you or give you or allow you to use his app. That seems reasonable to me.
 
Virus existence depend only on the proprietary OS insecurity. Free software on smartphones is revealing this to everybody, finally.
 
nice bombardment sir! to keep this witches away from android! they are just jealous of what we are right now! kudus!
 
+Pjay Pender So perhaps some kind of Android device drivers license is needed. When I observe friends using Android they just click past the screen about permissions and don't even realize what they do, they just want that cool app and since it is just a phone there's no harm.. ;)

Btw, most apps don't need to know if you're in a call or not. They use that permission to get a unqieue id for your device that does not change even if you factory reset it. Not what it was intended for but a consequence I guess of that ANDROID_ID isn't reliable/broken on some devices. Could also be that ANDORID_ID is reset by a factory reset that causes advertisers to not want to use it.
 
+Johan Appelgren And I am not disagreeing that there are stupid people, and installing apps without regard for what they access in your system IS stupid, but that is NOT a reflection on ANDROID'S security! Douglas Adams said that "a common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools" and no truer words were ever spoken. You CANNOT fix stupid. I observe the same "click-past-the-permissions behavior. I just believe it's the stupid clicker's fault and not Android's when the unintended occurs! And Android drivers do have licenses, mostly Apache, but not exclusively, though I'm not sure how this helps prevent idiots from shooting themselves in the feet.

This is about security of the system. FOSS is not only AS SECURE, it is arguably MORE SECURE than closed code. And Android IS SECURE, and the fact some--or even most--people act counter to their own interests is doesn't make it less so. Trying to make anything "foolproof" is complete folly.

And BTW, some apps DO NEED to know if you are in a call. You're not suggesting that no apps need to know phone state, are you? Or are you saying that Android has this permission solely to allow developers to get this unique ID nefariously? SO exactly what is inaccurate and needs correcting about my statement that "Many apps need to know if you're in a call or not"? I most assuredly did not say that every app that asks for this permission needs it. Not every app that asks for ANY permission needs it. But certainly many apps DO need to know if you are in a call.
 
So what about the malware that Google has pulled of the market?
 
Missed this post the other day until somebody pointed it out, but its so true, and i keep trying to explain the same thing over and over. In an ideal world we would have Journos consulting with knowledgeable people before posting wild claims which may help :)
 
So let me ask anyone....is the Android Market Safe?
 
+Ferny D. of course, in fact it tells you what permissions the app needs before you install it. If notepad wants access to your GPS and wifi then chances are it may be odd and you can find one better? :)
 
+Pjay Pender I agree with you that you can't make it foolproof. Still doesn't hurt to think about how to make it better for non-technical users.

Many apps might need to know if the user is in call, but a lot of apps that request it does not. Just looked on the front page of Android Market, of the twelve featured apps four requires that permission and none of them need it except for retreiving the device id. One of them even says so in its description. :)
 
+Liz Quilty, sophisticated malware apps have been known when executed to root the device, hence by passing the sandboxed security system ala permissions you mentioned. And when apps are found to do such things or even hint at malware, they are removed via Google as +Ferny D. stated was done in the past, a few times. Google has also been known to remotely uninstall malware infected apps from infected devices. :)
 
I agree with you to a point. I'm an Android fan and not a highly technical user. And while I certainly do appreciate the fact that Android is not as susceptible to viruses as Windows, it's certainly susceptible to malware (of which viruses are only a subset) from the Android Market, because Google does not curate the store.

When there's no way for regular users to know which apps are safe on the Android Market (which because of its Google backing, almost seems to imply that all apps are safe to regular users), most regular joes will probably conclude that some kind of AV/anti-malware software is necessary.

Google could easily solve the problem by making more of an effort on curating the Android Market. If Google doesn't want to pre-approve apps, then Google should make a sincere effort at educating users about trusted developers for example.

And why does Android still not have basic security functions like 'Locate my phone', remote wipe, etc.? These features alone would take a lot of the wind out of Kapersky's, AVG's, etc. sails.
 
+Derek Ross recently the same thing happened to Apple via an authenticated app, so neither is particularly more secure than the other. Apple pulled it once it was pointed out, same as android would have done
 
Dam Symbian is the worse. Never knew it had malware.
 
You are a pedantic idiot.
 
I think thats what is known as a troill +Ferny D. :) Random insult at nobody in particular, designed to make arguments
 
+Chris DiBona: The fact of the matter is that there ARE viruses and malware for IOS, Android and Linux - there just aren't many of them. I don't think you can state that all companies making security software for these devices are charlatans just because they are protecting against something that is uncommon. Should they wait until infections are endemic before they start making products? I guess we are lucky you don't run the CDC ...
 
I should add that I agree with the rest of your article: namely that OSS is not inherently insecure.
 
+Mario Catalano Those pre-loaded apps you refer to are not open-source nor part of Android. Those are carrier-added and/or manufacturer added. When the day ends, I do not believe Android is less secure than Apple's walled garden, and I absolutely do not believe it is Android's responsibility to protect people from their own stupidity. If you install an app without looking at the permissions that simply doesn't make ANDROID insecure. We seem to live in a world, these days, where people seem to think that it's someone else's responsibility to protect them from themselves.

+Eric Sites So are you.
 
I think many of the warnings by these "virus" protection companies convince the unsuspecting public that all malware are viruses, which just isn't true.

Furthermore, any malware which might exist for Android give notice up front about what this malware wants access to.

That aside, I do feel there is a tendency to suggest that everything is peachy and that if anything bad happens, it's the fault of a dumb user who didn't read the disclaimers. However, consider this... if I install a Tetris game and see that it wants access to my SMS messages, it's simple enough for the alarm bells to go off and I simply don't follow through with the install. However, imagine I install an application like JuiceDefender. By its very nature, since it tweaks various settings based on various criteria to maximize the battery potential, it does not surprise me that the application expects to: ...receive and process SMS messages. (Malicious applications may monitor your messages or delete them without showing them to you)... view configuration of the local Bluetooth device, and to make and accept connections with paired devices... read from the system's various log files. (This allows it to discover general information about what you are doing with the device, potentially including personal or private information)... access the phone features of the device. (An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like)... write to the USB storage... write to the SD card... modify the system's secure settings data. (Not for use by normal applications.)
However, although I trust JuiceDefender now... what happens if one of the developers (or the developer?) goes rogue and on one of the updates decides to do a bunch of malicious stuff with this. On the next update, it won't need any additional permissions (it already has all of the permissions it needs) and it could delete all of my SMS messages or nuke contents from my SD card or send a text message to everyone in my contacts list.

I think it's these types of concerns that lead most people to believe that they can't fully trust their own judgement when installing apps, no matter how careful they think they're being. So, as a result, these anti-"virus" companies take advantage of this fear and talk about malware and viruses. I think that people envision a bunch of nefarious developers writing perfectly legitimate and useful applications, then pulling a trick on everyone and activating the hidden functionality in the app or updating it with something nefarious.

Years of history of the Internet, however, have shown that this is rarely the case. If an application is useful and installed by many, the publisher will usually find a way to profit from it and will want to protect his investment and will make sure intentionally bad behavior never finds its way into the application. So, most malware truly will be similar to a Tetris game that says it needs access to your SMS messages.
 
+Peter Sitterly Unless you have one of many Android phones out there with easy to use privilege elevation vulnerabilities that give apps complete access to your phone without needing any special security permissions at all. ;)
 
+Peter Sitterly What about the official Flickr app that wants to read contacts, your imei, send and intercept sms messages and a few other things? Trying to explain to friends and family what to watch out for isn't made easier when devs add unnecessary or redundant features to their apps that require additional, possibly dangerous or at least with privacy implications, permissions.
 
After reading this post and this response: http://countermeasures.trendmicro.eu/the-mobile-threat-fud-or-mud/ I tend to agree with +Rik Ferguson's points. Virusses aren't the only thing our android devices need protection from. Besides, it is wel know that most users are running outdated versions, and that this isn't going to change anytime soon. (it might be that frustration on this sore point contributed to some of the above 'rant' (not meant derigotary))

So, +Chris DiBona , are you going to respond to Rik's points?
 
+Peter Sitterly Agreed, more or less, but how does a malware scanner protect you from this "rogue developer" you've envisioned? How could Android? Even Apple's very high-walled garden has had some malware. IS THERE even a way to protect against this hypothetical "rogue" that doesn't entail simply not installing any apps ever? And does this actually make the "virus" scaremongers less deceptive?

I LOVE my Macs, I really do, but having been an iPhone user for the first three iterations and now on my third Android (fourth if you consider one I tried for 30 days and returned for a different phone) and I prefer to trust my own instincts, and decide what apps I'll install based on what permissions they ask for (and my assessment of what they might need these for) than rely on Apple to do this for me.

+Johan Appelgren Whether or not the official Flickr app asks for permissions that are inappropriate is a matter for each of us to decide for himself. Full disclosure, I am not a Flickr user--I use Picasa, and did prior to G+--so I can't say whether I'd install the official Flickr app or not, not having seen the permissions it asks for. But again, it isn't right to suggest this is a security issue in Android, when it's clearly the phone owner's responsibility to look closely at any app he installs. And the only "privilege elevation vulnerabilities" as regards Android devices I'm aware of don't affect "many" handsets; they affect ALL Android devices. AFAIK there are no exploits of these in the wild, just a proof-of-concept.
 
Pjay Pender I've been saying the same for years. If you just turn UAC all the way up and stop installing malware, your Windows Vista or 7 is as secure as any Linux or Mac. I mean, how hard can that be?
 
+Timo Kinnunen "If you just turn UAC all the way up and stop installing malware, your Windows Vista or 7 is as secure as any Linux or Mac." Just not as usable.
 
+Timo Kinnunen Who in their right mind leaves UAC on? If I wanted to be nagged about everything I did, I would go to my girlfriend.
 
I'm surprised that no one's explicitly mentioned how flawed Android's security framework is. Am I the only one who thinks so? Let me elaborate.
While permissions are definitely a step in the right direction, they are currently not granular enough and the end user doesn't have the amount of control s/he should. Specifically, I believe that as an OWNER (as in I paid for it and it belongs to me) the person should have the right to enjoy a completely unrestricted access to the system. But, currently, the only way to obtain this is to root the phone... at this point the idea of a developer-driven, open-source platform (and I won't even mention "Java-based," don't get me started on the Dalvik VM) begins to deteriorate.
Why is there no support for the user to be able to grant the app some permissions and not others? Every app has a set of features and some features revolve around a particular permission(s) but that doesn't mean the app should be an all-or-nothing kind of deal... Take an SMS app as an example. Does it ABSOLUTELY need access to my contacts? No. At its core, all it needs to function properly is two parameters: target phone number and the text message I wish to send. Is it NICE to have access to the contacts in order to improve usability? Yes. But why the hell can't I specify what I want it to look at and where I don't want it snooping at all? My personal favorite is "Network communication," described as "full Internet access." Really? I mean REALLY!? Just like that? How about as the OWNER of the phone, I'd like to have the ability to explicitly specify a list of URLs an app can connect to? How about I'd like to have a firewall on my device without rooting my phone? How's that for a giant middle finger from Google?
Should I start talking about preloaded apps? You know, the ones I can't even opt-out of (I won't even mention about opting-in)? Nah, I think we all get that one...
Anyway, I think I've made my point. You can't rely on developers or blame the end-users for any malware that might plague the market until there's a robust security API which allows an extremely fine-tuned level of access for Android-enabled devices.
 
I love that helpful suggestion. "Stop installing malware." Genius! I can't imagine why I didn't think of it. :D

+Pjay Pender That was, more or less, my point. There is automatically a built-in danger for simply using the technology (even iOS) for which there is no perfect solution. It's this fear that the anti-"virus" companies are capitalizing on. They aren't so much inventing a fear as they are taking a legitimate one and blowing it out of proportion.

+Andrey Yamshchikov I think it boils down to balance. That would be a nightmare for developers. You'd have to code for every possible scenario in which the user has disallowed access to certain things but not others. And, at the end of the day, maybe 1% of the users would actually take the time to tweak these granular controls. The majority of the people just want to install an app and use it, not have to run down a list of 20 checkboxes and then try to figure out if the app sucks because of one of the checkboxes you unchecked, or if the app just sucks.

It would also mean there could be thousands of different possible user experiences for a given app. Imagine the need for a granular review system. Imagine if your comment only applied to how unfriendly an app is when you disable X, Y, and Z. If you don't specify your settings in the review, the app will sound broken to others reading your review, not realizing it's only broken when you disable X, Y, and Z. In theory, the concept is sound. In actual practice, it will hardly make a noticeable dent in the ecosystem as a whole and will introduce more problems than it solves.
 
+Chris DiBona Congratulation with your promotion to official spokesman for Google, which I infer from all the media stories that refer to this post as "Google says"... :-) :-(
 
+Per Abrahamsen In general, the media almost always says "[Company] says" whenever any publicly known employee of said company speaks publicly about a company issue. They're lazy that way.
 
+Peter Sitterly You seem to have covered nearly what I was going to say.... Anybody ever read "Unsafe at any speed" in depth? (http://en.wikipedia.org/wiki/Unsafe_at_Any_Speed for a primer) Years ago car manufacturers were not particularly concerned with safety. The attitude was pretty much that accidents are caused by the driver... much like +Pjay Pender asserts about Android users. I wouldn't say the average user is stupid though, that is a rather narrow techie view. The average user wants their phone and it's apps (or their car) to go from A to B in a reasonably safe manner... the less they have the think of the details, (except for techies) the better. It is unfortunate that the android allows the freedom do yourself damage... and the Corvair was a pretty cool car to drive until your tires tucked under...
 
+Peter Sitterly I was leaning more towards having fine-graned permissions at the platform (OS) level... For example, I go to "Manage Applications" menu, find the app I want to tweak, and do it there. So, the permissions are tweaked externally. Still, the developers should have the option to code around disabled features. What's wrong with implementing software on a feature-by-feature basis (does modularity or iterative design ring any bells)? Either way, each application should come with a developer-specified set of features that are enabled by default and the user has the option (before and after installing the app) to tweak the permissions as s/he sees fit (or not). Don't FORCE the user "to run down a list of 20 checkboxes," that's just awful design. Everything boils down to having the ability to do something - developers have the option to add features as they see fit and end-users have the right to say "No thanks, I don't want it" while still having the core functionality of an app. Exercising that ability is a completely separate issue. Once the ability to fine-tune applications is available, experts, developers, spokesmen and everyone else with an opinion on the matter can start pointing fingers at each other. But until then the only entity at fault, so far as I can see, is Google.
As for the "rating system problem," let's not get carried away with generalizing and dismissing ideas on the premise that "it'll be too hard to implement." There's nothing that mighty Google can't do, remember? Besides, the possible issues that might happen are tied into implementation detail and user training and should be dealt with as they arise.

P.S.
And no, Apple style market is most certainly NOT an alternative solution.
 
Is there an AV for RIM (Blackberries)? I would never install such a thing on my BB which makes phones slow and does not serve any pupose as I have never heard of any viruses on Blackberries.

Please correct me if I am wrong.
 
As many people have said, the average user doesn't care about the pedantic definition of virus vs. malware and nor do the companies selling anti-virus/malware and therefore I would like to think the anti-v/m companies aren't charlatans (they just don't stick to the pedantic definition of terms).

In terms of OSs, mobile or otherwise, a curated store, whilst not perfect, definitely helps reduce malware. It seems from the iOS experience that a curated store is sufficient in itself to do without malware protection on the device.
 
To say there are no legitimate threats on smartphone platforms is wrong. There are applications out there that use encrypted communications to download payloads and vacuum everything up off your phone and send it off to China/Russia. I do agree that most smartphone anti-virus companies out there fear-monger. That's how most of their marketing works. To disavow any sort of mobile malware threat is wrongheaded and irresponsible, though. As part of full disclosure, I do work for an MDM company.
 
+Mario Catalano What, specifically, do you not have control of in Android that you feel would give you the ability to protect yourself better? In Android, NOT in carrier and manufacturer crapware, much of which has the intended purpose of spying on you, and which is not open source, which is the subject here.
 
+Matthew Case Not one single person in this entire string of replies has said that "there are no legitimate threats on smartphone platforms" OR "disavow[ed] any sort of mobile malware threat." There is a huge gap between no conceivable threat and "malware is about to 'vacuum everything up off your phone and send it off to China/Russia'." (And you accuse others of fear-mongering?) What many of us are saying is that AV for mobile platforms is unnecessary at best and those who sell it are taking advantage of people. None of us is is suggesting that caution isn't necessary--on mobile platforms, and on the desktop.
 
+Matthew Case In addition to what +Pjay Pender said, I'll add that while there are definitely conceivable threats, the number of actual threats on Android is quite small. There are plenty of Trojans and spyware (including vendor-installed spyware such as #CarrierIQ), but there are no known viruses, at least not in the traditional sense. Traditional vectors for virus infection -- infected boot sectors, malicious ActiveX-type controls, e-mail viruses, etc., simply do not apply to the smartphone platform. There is no Outlook, there is no IE.

That's what +Chris DiBona's point was.
 
Pedantic comment about the word "virus" is pedantic, Chris. Clearly the mobile anti-malware vendors are selling "anti-Trojan" software, which is most assuredly not snake oil, but "virus" is in such common currency as a synonym for "malware" that it doesn't require glossing.
 
+Pjay Pender "Even Apple's very high-walled garden has had some malware."
+Liz ℚuilty "Recently the same thing happened to Apple via an authenticated app, so neither is particularly more secure than the other."

The fact that Apple has had malware doesn't prove anything by itself. Everyone understands that nothing is 100% secure; the question is how secure something is in relation to other things. I don't know for a fact, but it seems clear that Apple's vetting process, while not perfect, will do more to discourage malware than Google's lack of any vetting process.

Also, blaming the users is not a valid excuse. Social engineering has been around for ages and is another thing that Apple's vetting process, while not perfect, can help combat.

Even if "Android used by an intelligent user is just as secure as iOS," that does not mean "Android is just as secure as iOS" -- especially with Android increasing in market share and therefore becoming a more appealing target to malware authors.
 
Do Anti-virus companies offer monetary compensation if there software does not catch some virus ?
 
The great thing about mobile AV is that because of the sandboxing, you can do much more accurate preventative detection. You don't need to do as much signature based detection, and can focus on making sure that apps coming from the "games" section don't need access to your contacts list. Of course, no mobile AV is actually doing that yet, but when it does, I'm sure there will be a large market for calculating estimated sketchiness levels of applications.
 
I'm sorry, but you are a bit naive. I agree that the current AVs available for Android probably do not address the real vulnerabilities (from a "phone" standpoint, but to imply that it is nearly impossible to propagate a "phone-to-phone" infection is incorrect.
Translate
 
Oh FFS, Peter Johnson, Chris posted this a year and a half ago. If there is anyone at Google I'd have to say ISN'T "a bit naive" it'd be Chris DeBona. SO I say "Put up or shut up." Examples or it didn't happen. How and in what way does the open foundation of the major phone OSs make them vulnerable to phone-to-phone infection? Or if you're contending this is a problem ONLY for Android, how and why?
 
Ok, stupid user here... In the real world I use Windows, iOS, Android, and Kindle to access and handle the same documents and websites.  Data portability is what makes all of our devices so desirable.  If I import a Word doc to my Android phone using Google Docs or access my Amazon account on my Windows laptop, iPad, Android phone, and Kindle aren't I wide open?  I understand that many of the virus's actions are tuned to a specific operating system but multi-device bugs just seems obvious.  Additionally, I want some of the trappings of the AV suites such as a multi-platform password manager, remote wipe, device tracking, and a dialogue  that allows me to tweak my security for all my devices from a central dashboard.  Lots of companies offer pieces but I haven't found this package yet.  Note that I may not need the AV piece on my Android phone but I still want to see that device on my dashboard.  
 
Re my previous comment... add in my Chromebook.
Add a comment...