Posted by Kevin on July 8, 2014.
If there is one thing I have learnt in years of security, it is this: never tell an AV guy that he is not necessary. But that is exactly what Adrian Ludwig, the lead engineer for Android security at Google, seems to have told the Sydney Morning Herald:
The majority of Android smartphone and tablet users do not need to install anti-virus and other security apps to protect them, despite dire warnings from security companies selling such products, Google’s head of Android security says.
Mobile anti-virus not needed: Google
First on the scene was Graham Cluley, now an independent security guru and commentator, but formerly of Dr Solomon and Sophos. Writing for the AV company BitDefender’s blog, he said
…you would expect him to know a thing or two about the risks that Android users are exposed to on the platform.
Unfortunately, judging by a report in the Sydney Morning Herald of what Ludwig told journalists at a recent meeting, he appears to be living in cloud cuckoo land.
Thing is, Ludwig backs his claims with hard statistics. Now we all know that statistics distort reality – that’s their purpose – but in this instance there is little justification (ie, no real cause) to suggest that Google would wish to fool its Android users into a false sense of security. Google’s security team is probably the most active of all security researchers in locating flaws in third-party software and helping make the internet safer. And its ability to locate and block malicious sites for users of Chrome is laudable.
Here’s one of the slides that back Ludwig’s assertions:
Here’s another slide that compares some recent media headlines to reality;
His conclusion is summarized in the final slide:
Ludwig is not alone in this view. Scott Mortimer commented [re Cluley’s article], “Actually he is correct. Arguing in favor of Android AV on an AV vendor’s website doesn’t do a lot for the perceived validity and impartiality of your argument.
Vesselin Bontchev responded, “He is not ‘correct’…”
Neither of these are security lightweights. Scott Mortimer is an infosec analyst at the NATO Communications and Information Agency. Vesselin Bontchev is an AV luminary with a long and illustrious career in AV research. But he’s an AV guy – and I warned at the beginning that you shouldn’t tell an AV guy that he isn’t necessary. He describes Ludwig’s presentation as ‘advertising bullcrap’, and says of Mortimer,
apparently, you are one of the great unwashed who equate “anti-virus” with “scanner”, just because the AV programs of the scanner type are the most widespread kind of AV software and the only kind of such software that these people are capable of understanding and learning how to use.
It gets better (or worse, depending on your standpoint) and is decidedly edifyingly unedifying. But it disguises a very important question: which is the most important: user common sense or AV technology? Personally, I subscribe to the former, but don’t believe that you can rely on it. Common sense will stop more viruses than anti-virus software; but you cannot rely on everyone’s common-sense (nor can you rely on AV technology alone). I’m a bit like the buddhist who goes to church just in case…Share This: