If you'll scroll up to the comment you originally replied to, you'll see that I said Android and iOS have AV capabilities built into the OS and app delivery ecosystem. That's more than enough for most users: mobile OSes have something much closer to a capability-based security paradigm than desktop OSes, and both Apple and Google are pretty quick to nerf app behavior that subverts user expectations via system updates (unless it was done by the platform to support ad sales).
Your mobile device is a Turing machine, and as such it is vulnerable to malware. However, the built-in protections are probably sufficient unless you have a specific reason to believe they are not.
The only AV software for mobile devices that I have seen used is bundled with corporate "endpoint management" features like a VPN, patch and policy management, and remote wipe support. It's for enterprise customers that provision phones for their employees.
> You can generally forgo anti-malware on servers that are doing one thing that requires a smaller set of permissions (e.g., serving a website), but that's not because of the OS they are running.
It seems to me like you’re trying to have it both ways.
It really is because of the OS that one doesn’t need to run anti-malware software on those servers and also on the iPhone, which you seem to have admitted.
It seems like we're both trying to make a distinction that the other person thinks is unimportant. But if the crucial marker for you is whether anti-malware protection is built into the OS, then I've got great news for you: Windows has built-in AV, too, and it's more than enough for most users.
The distinction I was trying to make is that the anti-malware strategy used by servers (restrict what the user can do, use formal change control processes, monitor performance trends and compare resource utilization against a baseline and expectations inferred from incoming work metrics) is different from the anti malware strategy used by "endpoints" (scanning binaries and running processes for suspicious patterns).
Your mobile device is a Turing machine, and as such it is vulnerable to malware. However, the built-in protections are probably sufficient unless you have a specific reason to believe they are not.
The only AV software for mobile devices that I have seen used is bundled with corporate "endpoint management" features like a VPN, patch and policy management, and remote wipe support. It's for enterprise customers that provision phones for their employees.