Dump anti-virus and move to secure-by-design?
I stumbled across an article this morning that analyses the threat to the mobile devices from malware and comes to the conclusion that it is not likely a good idea to have an anti-virus on your mobile.
The premises are that only a very few of the mobile devices are currently infected, so the conclusion is that the infection is unlikely, plus that anti-virus software is terribly ineffective at catching the malware. The author concludes that the industry is best off to dump anti-virus on mobile and move to secure-by-design hardware and software.
I wholeheartedly agree that moving to secure-by-design devices would be excellent. I personally prefer an old trustworthy Nokia rather than any new fashionable smart phones for making calls and reading RSS. On the other hand, there is a couple of problems with the analysis and the proposition itself.
First, the apparent absence of the malware infection on the phones says nothing about either the actual infection or the possibility of infection. The mobile malware may get better tomorrow and the levels will jump overnight. Or perhaps we do not analyse it properly. The likelihood of infection is not a function of the current rate of infection.
Moreover, asking the mobile industry to make secure devices is vain. This is the same as asking the software industry to make secure software. They are just not going to. Security costs money, security is a cost for the manufacturer and they will reduce it through the floor if they can.
Secure-by-design is only going to happen when the costs of security breaches stop being externalities for the producer. As long as customers bear the costs, security remains the problem of the customer.