Recently, Chris DiBona published a comment (or blog or whatever it is) at Google+ bashing at a lot of companies and people in the industry. He starts with "people claiming that open source is inherently insecure and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market." Further down he claims that no major cell phone has a virus problem like Windows or Mac machines. There are some other harsh statements in the article, especially about vendors in the security space being charlatans and scammers.

Not surprising that there has been a flood of press releases and other types of responses by vendors of anti-virus, anti-malware, and other types of security tools.

If you look at the facts, then from my opinion some things are evident:

  • Every type of software is potentially insecure - that includes closed source and open source
  • There are better and worse approaches to deal with security flaws - and that doesn't relate to software being open source or not
  • There is malware attacking Android devices and the number of known issues is growing
  • There are different approaches to marketplaces like the ones for Android and iOS - however even open marketplaces could use independent test and certification approaches increasing security
  • Yes, vendors are trying to earn money with security solutions for mobile devices and there is marketing in
However, the essential point is: There are security risks and instead of bashing on others the goal should be to mitigate risks. That needs to be done before the security issues become too big. Saying that "If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.", to quote again Chris DiBona, is absolutely misleading. The problem might not be as big as some marketeers try to tell today - but there is an malware problem and there is a need to deal with it. Not saying that anti-malware on mobile devices is the best choice to solve the problem... And yes, Chris DiBona isn't correct in saying that these usually aren't viruses but other types of malware. That's splitting hairs! So, instead of playing down things, it's about understanding current and upcoming risks, security needs, and then acting on that - regardless of providing open source or closed source.

I personally believe that its worse to play down security issues than trying to identify and address the issues. And if someone uses the wrong term (like "virus" for something that isn't a virus), OK - that happens and virus is sort of a term used commonly wrong. But it doesn't change the fundamental facts: There are security risks for mobile devices. Thus users have to react. Oh, and by the way: I thought we ended these religious "open source or not" discussions at least five or ten years ago. There is no value in these discussions. There is only value in providing better software.

And when talking about Android, looking at the way it uses information I just can state that it is not the best example for "fair information practice" (carefully spoken). Information security is not only about malware and the likes, it is about the way systems deal with information overall. With respect to the way Android deals with GPS locations, SSIDs of available WLANs, and other information, just have a look here (to give you just one example, there is more to be found at YouTube). So again, Google: Do your homework first before you start bashing at others.