twitter facebook rss

Never tell an AV guy that he’s unnecessary

Posted by on July 8, 2014.

If there is one thing I have learnt in years of security, it is this: never tell an AV guy that he is not necessary. But that is exactly what Adrian Ludwig, the lead engineer for Android security at Google, seems to have told the Sydney Morning Herald:

The majority of Android smartphone and tablet users do not need to install anti-virus and other security apps to protect them, despite dire warnings from security companies selling such products, Google’s head of Android security says.
Mobile anti-virus not needed: Google

First on the scene was Graham Cluley, now an independent security guru and commentator, but formerly of Dr Solomon and Sophos. Writing for the AV company BitDefender’s blog, he said

…you would expect him to know a thing or two about the risks that Android users are exposed to on the platform.

Unfortunately, judging by a report in the Sydney Morning Herald of what Ludwig told journalists at a recent meeting, he appears to be living in cloud cuckoo land.

Thing is, Ludwig backs his claims with hard statistics. Now we all know that statistics distort reality – that’s their purpose – but in this instance there is little justification (ie, no real cause) to suggest that Google would wish to fool its Android users into a false sense of security. Google’s security team is probably the most active of all security researchers in locating flaws in third-party software and helping make the internet safer. And its ability to locate and block malicious sites for users of Chrome is laudable.

Here’s one of the slides that back Ludwig’s assertions:

Android malware installs

Here’s another slide that compares some recent media headlines to reality;

android real risks

His conclusion is summarized in the final slide:

Android malware conclusion

Ludwig is not alone in this view. Scott Mortimer commented [re Cluley’s article], “Actually he is correct. Arguing in favor of Android AV on an AV vendor’s website doesn’t do a lot for the perceived validity and impartiality of your argument.

Vesselin Bontchev responded, “He is not ‘correct’…”

Neither of these are security lightweights. Scott Mortimer is an infosec analyst at the NATO Communications and Information Agency. Vesselin Bontchev is an AV luminary with a long and illustrious career in AV research. But he’s an AV guy – and I warned at the beginning that you shouldn’t tell an AV guy that he isn’t necessary. He describes Ludwig’s presentation as ‘advertising bullcrap’, and says of Mortimer,

apparently, you are one of the great unwashed who equate “anti-virus” with “scanner”, just because the AV programs of the scanner type are the most widespread kind of AV software and the only kind of such software that these people are capable of understanding and learning how to use.

It gets better (or worse, depending on your standpoint) and is decidedly edifyingly unedifying. But it disguises a very important question: which is the most important: user common sense or AV technology? Personally, I subscribe to the former, but don’t believe that you can rely on it. Common sense will stop more viruses than anti-virus software; but you cannot rely on everyone’s common-sense (nor can you rely on AV technology alone). I’m a bit like the buddhist who goes to church just in case…

Share This:

2 thoughts on “Never tell an AV guy that he’s unnecessary

  1. I wondered for a while where Scott and Vesselin were debating this so I could see what they had to say.

    Fortunately a quick Google (natch..) discovered it was happening on my very own corner of Google+

    Here’s the link in case anyone wishes to read more about what the respective sides had to say.

    Naturally, I side more with Vesselin’s opinion than that of Google’s security team (who have a vested interest in saying what a simply brilliant job they are doing at securing the Google Play store).

    But Vess is also critical of anyone who suggests anti-virus is essential for Android.

    My own view is that if you have common sense and your wits about you, you can avoid much of the risks on Android.

    The problem, of course, is that common sense isn’t very common. Particularly when it comes to computer security.

    And that’s why the vast majority of folks should probably run anti-virus on their Android.

    (BTW, anti-virus is much more than anti-virus these days. A point which often gets lost)

  2. y’know, google had someone saying very similar things a few years ago. in fact, he was even more visceral in his denouncement of mobile AV. his name was chris dibona.

    i seem to recall his views softened over time, as the mobile malware problem continued to grow and as google themselves had to take additional steps and develop new approaches to keeping google play clean.

    now we’ve got a new google guy saying this kind of thing. i guess google just really wants someone to say the people pointing out the risks on their platform are full of hot air.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: , , , , ,