I'm new to Android and have two questions concerning security:
1. Should I install an Antivirus program on my phone (like Norton, McAfee, etc)? If so, which is best?
This really depends upon who you ask. Google engineers and developers have always said "no" when pushed on the subject, and hackers and other modders sometimes hint at/say that a virus is a real possibility- so the truth is likely in the middle. Like all Linux distros the virus risk can come down to hinging upon what you mean by "virus" (annoying bloat-ware?, ornery mal-ware?, or full-on control-of-system virus?), and what that harmful file can actually do. In all Linux systems, all the system files (which the virus would need access to to entrench itself and propagate itself) are in the "root" ( "/") or top-most trunk (think of a tree) of the filesystem, and require what is called "root access" granted by the entering of a system password. The only folders/files that a virus can access without asking/prompting for password input/permission/authorization is what is called the "home" folder, which houses the user's documents, music, photos, etc. (think of "My Documents" in Windows- it is a little bigger than that but not by much). In Android I think this refers to the contents of the "/mnt/sdcard" and/or "/sdcard" locations. I know the "/system" folder (a very important one) prompts for authorization. Also on Linux/GNU systems, the viral file will be easy to delete/eviscerate if unable to entrench itself in the system files before a reboot, as it will remain just a file. In Android the real danger lies in fake apps that pose as real ones then gain access to the system files by you granting permissions to something that you wanted to have. Which leads into:
2. Is it safer to use the Amazon App Store instead of the Android Market, since Amazon screens all the apps in its store and Google doesn't?
Probably (if they do in fact screen/test applications), but their "test" is most likely a simple screening of what permissions the app is requesting and what it professes to do. I really think that is superfluous, and such screening should be the responsibility of each user. It doesn't require any coding skills to see that example application "A" (let's say it is a 3G/4G toggle widget) does not need permissions to access the camera, or the internet (it just needs access to the radios and settings). Likewise, alternative camera app "B" does not need read/write access to system files... And for some of the weird stuff, do what I do (as I am not a programmer and realize that some of the permissions are just because of how the paths the app has to follow are grouped in Android), just email the developer and/or do a quick google search for the app name. As has been stated above too, pay attention to the reviews- angry/disappointed people are more vocal than content ones...
To answer your questions, in summation, both are your choices if you want to take further precautions, but with common sense and a little inkling of what to watch for (lots of access request pop-ups, seriously bogged down system, using a TON of data in the middle of the night etc.) virus detectors really aren't (yet, if ever) necessary on Linux-based systems; and with spending 10 seconds reading the permissions each app requires before you download and asking "does this make sense?," app-store security is also a moot issue (for now).
Lastly I should add, that in the event of a virus that can entrench itself into your system, you can always wipe the phone/re-flash the ROM, and be back up and running in under an hour. And if a virus tries to unlock the bootloader to install its own system image on our Galaxy Nexii, it will wipe the phone and you will know immediately.
