Smartphones are taking a beating these days from security vendors who seem to release a new report each week about increases in mobile malware. And out of the major platforms, Android is supposedly the biggest target, both because of the open nature of its app store and its robust market share.

But if you believe Google's Chris DiBona, the company's open source and public sector programs manager, it's all a big load of excrement. Neither Android nor its competitors Apple and BlackBerry have security problems severe enough to merit this level of attention, DiBona argued in a post on Google+ last week.

"Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS," DiBona wrote. "They are charlatans and scammers. If you work for a company selling virus protection for android, RIM or iOS you should be ashamed of yourself."

DiBona's remarks came one day after Juniper Networks reported a 472 percent increase in Android malware samples collected since July. As if in response, McAfee Labs issued its third-quarter report on Monday, which claimed "this quarter Android was the sole target of mobile malware writers." The malware writers' products include SMS-sending Trojans, malware designed to record phone calls, and root exploits that gain access to system databases, breaking free of the application sandbox Android normally uses to keep sensitive data safe.

In yet another report, albeit a gimmicky one, the firm Bit9 created a "Dirty Dozen" list of the most vulnerable mobile devices and gave every single spot to Android. Bit9 brings up Android's platform fragmentation issue, noting that "Fifty-six percent of Android phones in the marketplace today are running out-of-date and insecure versions of the Android operating system software" and that "manufacturers such as Samsung, HTC, Motorola and LG often launch new phones with outdated software out of the box, and they are slow to upgrade these phones to the latest and most secure versions of Android."

But while the risk is growing, mobile security threats still aren't as sophisticated as the ones designed for PCs, a point DiBona makes in his post.

Phones don't have virus problems?

"All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets," DiBona wrote. "No major cell phone has a 'virus' problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels."

"Yes, a virus of the traditional kind is possible, but not probable," he continued. "The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn't independence day [the movie], a virus that might work on one device won't magically spread to the other."

DiBona further complained about critics claiming that "Android is festooned with viruses because we do not exert Apple like controls over the app market."

To get the perspective of one of DiBona's "charlatans," we spoke with James Lyne, the director of technology strategy at Sophos. Lyne, in a way, agrees with DiBona's point that antivirus software designed for PCs shouldn't be shoehorned into mobile devices, but says limitations in today's mobile security products are due largely to the phone makers (particularly Apple) being uncooperative with security vendors. "There is some legitimacy to the point he is trying to make," Lyne told Ars. "But I think he may have gone to an extreme that is unhelpful."

The PC approach of scanning files and matching them with malware databases isn't right for smartphones, Lyne said, noting smartphones' rich permission systems that prevent applications from accessing all of the phone's capabilities, as well as sandboxing and the ability for vendors to remotely delete malicious applications from user-owned devices. Still, Lyne said there is a need for security products to enforce password and encryption policies, keep phones patched and up to date, and check the reputation of applications before they are downloaded. These types of products may end up being called antivirus software, but they're actually quite different from what the name suggests.

Although today's mobile threats are usually simple to detect, Lyne and other security experts warned that, as smartphones become more prevalent and gain more access to confidential data, attacks will grow and become more sophisticated. Android lags behind the iPhone in several areas; for example, Android devices consistently fail to have full disk encryption built in, he said. The ease with which applications can be sideloaded onto Android devices and the less restrictive nature of the Android Market vs. the Apple App Store also makes it a more appealing target to criminal hackers.

Security firms want more cooperation from Apple, Google

But that doesn't mean Apple's security model is perfect, either. Security researcher Charlie Miller recently found a flaw within the iOS App Store that could potentially let any app download and run unsigned code. Miller created an app capable of exploiting the flaw, and got it approved by Apple for inclusion in the App Store. Apple eventually pulled the application and even gave Miller a one-year ban from its developer program, but his success in getting the application onto the store shows Apple's culling process likely can't catch every malicious piece of software.

Lyne called on Apple to expand its security APIs to provide a greater level of trusted access to the operating system—for example, an improved ability to scan and encrypt files opened by Safari. He said Google doesn't provide all that is necessary either, but enough Android code is public that you could write your own APIs. "Apple is the most obstinate by far," Lyne told Ars. "Google has actually been quite supportive in the grand scheme of things. I think Android will get there faster, but it doesn't have everything today."

Of course, just as DiBona pointed out, security vendors have financial motivation to convince smartphone buyers that they're at risk. One security product published for Windows Phone by AVG was taken off the marketplace by Microsoft after it was found to be generally useless and a violator of user privacy by sending information to AVG's servers. But that doesn't mean there isn't a place for mobile security products. Businesses in particular worry about the safety of data when providing access to e-mail and other services from mobile devices, and are interested in tools that manage employee access. Security products can also provide backup and restore functionality that consumers might be interested in.

While Google pulled 21 malicious applications from the Android Market back in March, apps aren't the only potential attack vector. Security reports from Georgia Tech and Syracuse University researchers recently found that smartphone Web browsers are rising in importance as an attack point.

"It's not time to panic about it yet," Lyne said. "But it's certainly time to start safeguarding ourselves, rather than put our heads in the sand and say this will never happen, these devices are magically secure."