SkillVet: Automated Traceability Analysis of Amazon Alexa Skills

by   Jide S. Edu, et al.

Third-party software, or skills, are essential components in Smart Personal Assistants (SPA). The number of skills has grown rapidly, dominated by a changing environment that has no clear business model. Skills can access personal information and this may pose a risk to users. However, there is little information about how this ecosystem works, let alone the tools that can facilitate its study. In this paper, we present the largest systematic measurement of the Amazon Alexa skill ecosystem to date. We study developers' practices in this ecosystem, including how they collect and justify the need for sensitive information, by designing a methodology to identify over-privileged skills with broken privacy policies. We collect 199,295 Alexa skills and uncover that around 43 that request these permissions follow bad privacy practices, including (partially) broken data permissions traceability. In order to perform this kind of analysis at scale, we present SkillVet that leverages machine learning and natural language processing techniques, and generates high-accuracy prediction sets. We report a number of concerning practices including how developers can bypass Alexa's permission system through account linking and conversational skills, and offer recommendations on how to improve transparency, privacy and security. Resulting from the responsible disclosure we have conducted,13 the reported issues no longer pose a threat at submission time.


page 1

page 2

page 3

page 4


Your Echos are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem

Smart speakers collect voice input that can be used to infer sensitive i...

Alexa, Who Am I Speaking To? Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa

Many Internet of Things (IoT) devices have voice user interfaces (VUIs)....

Privacy Policies Across the Ages: Content and Readability of Privacy Policies 1996–2021

It is well-known that most users do not read privacy policies, but almos...

"Are you home alone?" "Yes" Disclosing Security and Privacy Vulnerabilities in Alexa Skills

The home voice assistants such as Amazon Alexa have become increasingly ...

Understanding Security Issues in the NFT Ecosystem

Non-Fungible Tokens (NFTs) have emerged as a way to collect digital art ...

"Hey Alexa, What do You Know About the COVID-19 Vaccine?" – (Mis)perceptions of Mass Immunization Among Voice Assistant Users

In this paper, we analyzed the perceived accuracy of COVID-19 vaccine in...

Just ASK: Building an Architecture for Extensible Self-Service Spoken Language Understanding

This paper presents the design of the machine learning architecture that...