Chris DiBona is, apparently, the open source and public programs manager at Google. And he thinks that I should be ashamed of myself because I work for a company that is “selling virus protection for android, rim or IOS.” (I’m sure he means Apple’s iOS, not Cisco’s IOS, and that he’s not doing a Gruberesque pun on RIM and toilets, but let’s not be picky. Yet.)
Well, lets not get too paranoid. He’s not naming me in particular, because I doubt if he’s ever heard of me, but anybody who works for the Dark Side and has a smartphone product. (Technically, I don’t work for anyone, but it’s no secret that a large proportion of my income comes from providing services and consultancy to a security company that does indeed have an Android product, among others. I should point out, though, that Mac Virus is totally vendor independent, and my views on this blog should not be taken as representing the views of that company or of anyone but me.)
DiBona is apparently upset by an article (he doesn’t say which one, as far as I can see) that claims that open source is inherently insecure. Fair enough: while I have reservations about the unthinking and sometimes inappropriate espousal of open source software, there are many, many examples of fine open source coding, including some excellent security tools. Unfortunately, after a few paragraphs of (mostly accurate) commentary about open source, DiBona launches into a way over-the-top tirade about smartphone security vendors, by way of a succession of straw man arguments.
(1) DiBona says “All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.” True as far as it goes, but what he doesn’t mention here is that there are two main approaches to this strategy. Apple’s proactive whitelisting approach means that apps that do bad things rarely get into the App Store, and there is no way for a customer to bypass the App Store without jailbreaking. Android relies on its customers to tell them when an app is malicious, and stops allowing it access via the Android Market. That’s a lot less trouble and expense for Google, but it means that malicious apps are likelier to get “into the wild” (in a loose, non-WildList sense) before Google deals with them. And don’t forget that the Android Market isn’t the only legitimate way to get Android apps. You could, of course, argue that operating systems in general don’t usually try to regulate the third-party software that runs on them – it would actually be pretty daunting for an older desktop operating system to try to that retrospectively, PR-wise if not technically. Nevertheless, having decided to go reactive rather than proactive with Android, it could also be argued that Google has a vested interest in understating the risk to its customers.
(2) “No major cell phone has a ‘virus’ problem in the traditional sense that windows and some mac machines have seen.” More or less true, even of Symbian, which DiBona carefully avoids mentioning directly (sensitive, perhaps, to reports that Android is now more targeted than Symbian. In fact, numerically, viruses are a tiny proportion of the Windows problem, too, and it’s debatable whether any OS X malware can accurately be described as truly viral. Does this mean there is no malware problem with desktops? Hardly. Does it mean there are no Trojans for smart-phones? Hardly. DiBona simply chooses not to acknowledge them directly. He does say that “There have been some little things, but they haven’t gotten very far due to the user sandboxing models and the nature of the underlying kernels.” See point (1)…
A few days ago I considered a test by AV-Test that looked at free Android AV. That test used a sample set including “83 Android installation packages (APK) and 89 Dalvik binaries (DEX). No files were older than 5 months.” That doesn’t sound like “some little things” to me, though it’s a tiny number compared to the tens of millions of existing Windows malware samples.
But to be fair, sample numbers don’t tell us anything about prevalence. Actually, AV articles are usually a bit hazy about prevalence, not least because some of companies don’t like to extrapolate from their own telemetry to some sort of global guesstimate. So Tracey Mooney’s assertion that “last year 4.6 million Android smartphone users downloaded a suspicious wallpaper app that collected and transmitted user data to a site in China” is a rare example of the sort of “hostage-to-fortune” statistic I prefer to avoid.
And no, downloads are not the same as known infections. But it doesn’t suggest that large-scale infections are unknown in the smart-phone market. And before you say “well, McAfee would say that,” bear in mind that Mooney also mentioned that “At the time [March 2011] there were 21 apps on Google Marketplace that were infected with Malware that Google yanked from the market faster than I could blog the warning call.” So we’re not looking at a Get Google campaign, even though Kaspersky claims that the “DroidDream attack alone infected more than 100,000 users.”
By contrast, Juniper’s revelation that Android malware has increased by 472% sounds dramatic, but is irritatingly imprecise, representing a significant but much less dramatic rise in samples like that reported by McAfee.
(3) Well, let’s not get sidetracked by whether there are Linux viruses (that’s a matter of definition, but there is certainly Linux malware). Or, come to that, the curious question of whether viruses can leap from phone to phone. I’m not sure that anyone claimed they do, though I might come back to the technicalities of that possibility in another blog.
Alan Reiter has a more balanced view:
I’ve written for several years in Internet Evolution that I don’t think anti-malware software is currently needed for US cellphone users … But I’m coming around to the view that if you can find a proven excellent anti-malware program that doesn’t affect your phone’s performance or take up too much memory, it couldn’t hurt to download it, “just in case.”
So, Mr DiBona. Am I ashamed of myself for my connection with the AV industry? Well, I don’t happen to believe that anti-virus is the 100% solution that everyone wants there to be. I don’t even believe that it’s as effective as it used to be, though in many contexts it remains an essential part of a security strategy. I don’t claim that the security industry never hypes a product. I don’t even say that AV is essential on smart phones (even Android phones). In fact, there is no full-blown commercial AV on iOS, for example. A little commonsense can go a long way in the mobile market, where social engineering scams and SMS trojans are more to the point than viruses. But I do think there’s more to the security industry than hype and FUD, and I don’t feel any shame at being associated with an industry that on the whole does more good than harm.
ButI don’t think that misleading (deliberately or otherwise) the Android customerbase into a false sense of security by ignoring over a significant corpus of malware is anything to be proud of.
David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus