While Mr. Lambert makes some valid points about how modern phone operating systems are more secure than their traditional desktop counterparts are, he glosses over some very important facts and in doing so draws some incorrect conclusions about the effectiveness of and the need for antivirus on your mobile phone. I'd like to touch on a few things Mr. Lambert claims, starting with: "...each app is given its own work environment, and is unable to access other apps data...This, by itself, is a huge security improvement, and means that no malicious software can do much harm by simply being installed."

The statement that scares me is his claim that apps cannot access other apps data, and therefore malicious software can do little harm by simply being installed. This is incorrect on a number of levels, and the fact that this was published by a journalist on a major, well-respected blog in a forum on security no less, really shows the lack of understanding of the mobile space by traditional IT professionals and its potential impact on the enterprise. I would go so far as to say that it is this kind of lack in technical depth and expertise in this new frontier that makes mobile antivirus a must and the potential for danger so high.

Yes, by design Android and iOS force 3rd party apps only to run in and interact with data in their own process space. This is called sandboxing and is in fact a huge step forward over a traditional desktop OS when it comes to preventing viruses and attacks. However, in reality there are still threats, and while not as many as occur on the desktop, the fact of the matter is these threats are often more dangerous, because the system tends to operate under the assumption that it is immune from any ill-will.

At least on Android ANY app can get a list of all other packages installed on the phone. Apps can also "subscribe" to system events, such as "hey a new app was just installed". Mobile security apps use this event to initiate a scan and profile of an app whenever the installer is invoked, whether the app comes from Google's official market or is side-loaded.

Again I'm speaking about Android specifically here but there is also a necessary and sometimes misused OS mechanism called an Intent Receiver. An exploit of this particular mechanism and a serious permissions problem was uncovered right here in this forum a number of months ago (http://www.techrepublic.com/blog/security/androids-permission-system-does-it-really-work/6322). Apps advertise "intents" available to other apps and this gives the apps a way to interact with one another.

On top of this both Android and iOS have space for global data storage, so again there is some potential for doing damage and cross pollination here. I'm not saying that viruses are rampant on smart phones--they aren't. But that doesn't mean its okay to be lackadaisical and just hope one doesn't take hold. Especially when perfectly good tools like Lookout (http://www.techrepublic.com/blog/smartphones/lookout-provides-security-and-anti-virus-for-your-android-phone/3335?tag=content;siu-container) can be obtained at no charge.

The second and even more alarming claim made in this article is: "So right away, the potential for trouble from a single app is fairly limited. But it also means that theres not much an antivirus could do either. Any antivirus software you install on a phone would not be able to scan any other app, or any data used by those apps."

As I already stated, antivirus packages on a mobile phone can and do scan other apps. Not on a byte-by-byte basis like a traditional OS antivirus does, but rather at a package level, where it looks for signatures of known threats, as well as repackaged threats, examines permissions, and can if needed review exposed intents. And while a virus on your phone may not be able to get into another application's sandbox (generally as there cases where even this safeguard has been circumvented), it most certainly can wreak havoc across your shared data store, this usually includes your photos, videos, etc. And unlike your traditional desktop malware, a threat on your phone could do things like sms message all your photos to all your contacts. If that's not a security issue, I don't know what is.

When a threat is detected, as Mr. Lambert pointed out mobile antivirus cannot simply uninstall the infected application. What he failed to mention though is that through the use of the intents we talked about earlier, antivirus can and does launch the uninstaller with the parameter of the offending application. So yes, technically it is the OS uninstaller and not the antivirus process that is doing the threat removal. But let's be honest does that make difference? The antivirus is still catching the threat and initiating the action that gets it off your phone. In my mind, that's a check in the "it works" column.

Perhaps the most perplexing statement to me in the article is the single sentence: " There is antivirus software out there for iOS and Android, but unless you jailbreak or root your device, their abilities are limited." Honestly I can't help but think Mr. Lambert has never actually done a jailbreak (or root in the case of Android), on one of his phones. If he had, he would know that the this is often accomplished by downloading a jailbreak app!

I hope I'm not the only reader to see the irony here. Mr. Lambert points out that when a phone is rooted, there is then a potential for serious damage. Yet he says not to worry as long as you don't root the phone, ignoring the fact that you often get the phone into a rooted state by running an app. So if you could simply download an app that roots your phone intentionally, why then would he think it was inconceivable for someone to unintentionally download an app that rooted the device? Because bad guys always label viruses as such before submitting them to the market? It doesn't take a great leap of logic to conclude that smart phone malware can and periodically does jailbreak the device unknowingly to the user.

Again, I'm not trying to say that the sky is falling, that smart phones are not safe, and that you should never allow a smart phone to be on your company infrastructure. In fact I'm agreeing with Mr. Lambert that modern smart phone operating systems tend to be significantly more secure than their desktop brothers and sisters. That said, Mr. Lambert proves here that in many cases smart phones operating systems are significantly misunderstood, even by professionals in the industry. Installing antivirus on your phone is one measure you can take to help protect yourself against both malware, and the massive amounts of misinformation out there. Most antivirus packages for smart phones offer a free version for personal use and it only takes a few minutes to set it up. Am I the only one who disagrees with Mr. Lamberts conclusion that installing antivirus on my phone is not worth the effort?