SkillVet : Automated traceability analysis of Amazon Alexa skills

Edu, Jide S. and Ferrer-Aran, Xavier and Such, Jose and Suarez-Tangil, Guillermo (2023) SkillVet : Automated traceability analysis of Amazon Alexa skills. IEEE Transactions on Dependable and Secure Computing, 20 (1). pp. 161-175. ISSN 1545-5971 (https://doi.org/10.1109/TDSC.2021.3129116)

Preview

Text. Filename: Edu_etal_TDSC_2023_Automated_traceability_analysis_of_Amazon_Alexa_skills.pdf Accepted Author Manuscript License: Strathprints license 1.0 Download (1MB)| Preview

Abstract

Third-party software, or skills, are essential components in Smart Personal Assistants (SPA). The number of skills has grown rapidly, dominated by a changing environment that has no clear business model. Skills can access personal information and this may pose a risk to users. However, there is little information about how this ecosystem works, let alone the tools that can facilitate its study. In this paper, we present the largest systematic measurement of the Amazon Alexa skill ecosystem to date. We study developers' practices in this ecosystem, including how they collect and justify the need for sensitive information, by designing a methodology to identify over-privileged skills with broken privacy policies. We collect 199,295 Alexa skills and uncover that around 43% of the skills (and 50% of the developers) that request these permissions follow bad privacy practices, including (partially) broken data permissions traceability. In order to perform this kind of analysis at scale, we present SkillVet that leverages machine learning and natural language processing techniques, and generates high-accuracy prediction sets. We report a number of concerning practices including how developers can bypass Alexa's permission system through account linking and conversational skills, and offer recommendations on how to improve transparency, privacy and security. Resulting from the responsible disclosure we have conducted,13% of the reported issues no longer pose a threat at submission time.

ORCID iDs

Edu, Jide S. ORCID: https://orcid.org/0000-0003-1325-8740

• Share and Export
  

  RDF+XMLBibTeXRIOXX2 XMLRDF+N-TriplesJSONDublin CoreAtomSimple MetadataReferMETSHTML CitationASCII CitationOpenURL ContextObjectEndNoteOpenURL ContextObject in SpanMODSMPEG-21 DIDLEP3 XMLData Cite XMLRIS (EndNote Online, Zotero, Ref manager, etc)RDF+N3Multiline CSV
• Item metadata

  Item type:	Article
  ID code:	85106
  Dates:	Date Event 1 February 2023 Published 18 November 2021 Published Online 14 October 2021 Accepted
  Subjects:	Science > Mathematics > Electronic computers. Computer science > Other topics, A-Z > Human-computer interaction
  Department:	Faculty of Science > Computer and Information Sciences
  Depositing user:	Pure Administrator
  Date deposited:	13 Apr 2023 08:38
  Last modified:	11 Nov 2024 13:54
  Related URLs:	Related item
  URI:	https://strathprints.strath.ac.uk/id/eprint/85106