Google’s Chris DiBona has a bone to pick with those who make misleading comments about the state of mobile security, especially when it comes to Android and open source software. He took to Google+ earlier this week to outline his frustrations, attempting to explain that there’s nothing inherently insecure about open source, and that reports of malware on smartphones are largely overblown for the threat they actually pose.
DiBona’s criticisms take special aim at companies dealing in smartphone anti-virus software, labeling those selling such tools as “charlatans and scammers”. He rightly points out that nearly all the malware we’ve seen on smartphones thus far has been trojans rather than anything resembling a virus, the definition of which requires its ability to spread to other devices. Unsurprisingly, he’s already attracting the ire of companies like Kapersky that develop smartphone security software.
Maybe DiBona’s splitting hairs over the virus/trojan distinction, but he has a point. Malware that uses exploits to bypass Android security protocols may be one thing, but most malware is working within the confines of Android security just as any normal app would. Trying to divine intent when an app requests permissions is a losing battle, and Google ultimately turns that decision over to the user at the time of installation. This is a knowing choice, and doesn’t represent a risk built-in to Android so much as reflects on the system’s open design; if you want to treat your smartphone users as adults, and give them a large degree of control over software choices, that includes granting them the ability to make bad decisions. When malware is found, DiBona notes that Google, just like any other app store owner, is quick to remove it.
All things considered, he argues that Android security isn’t anywhere near the big problem some make it out to be, and so attempts to sell you software based on a false threat are disingenuous. Do you think he’s on to something here?