SkillVet : Automated traceability analysis of Amazon Alexa skills

Edu, Jide S. and Ferrer-Aran, Xavier and Such, Jose and Suarez-Tangil, Guillermo (2023) SkillVet : Automated traceability analysis of Amazon Alexa skills. IEEE Transactions on Dependable and Secure Computing, 20 (1). pp. 161-175. ISSN 1545-5971 (https://doi.org/10.1109/TDSC.2021.3129116)

[thumbnail of Edu-etal-TDSC-2023-Automated-traceability-analysis-of-Amazon-Alexa-skills]
Preview
 Text. Filename: Edu_etal_TDSC_2023_Automated_traceability_analysis_of_Amazon_Alexa_skills.pdf
Accepted Author Manuscript
License: Strathprints license 1.0
Download (1MB)| Preview

Abstract

Third-party software, or skills, are essential components in Smart Personal Assistants (SPA). The number of skills has grown rapidly, dominated by a changing environment that has no clear business model. Skills can access personal information and this may pose a risk to users. However, there is little information about how this ecosystem works, let alone the tools that can facilitate its study. In this paper, we present the largest systematic measurement of the Amazon Alexa skill ecosystem to date. We study developers' practices in this ecosystem, including how they collect and justify the need for sensitive information, by designing a methodology to identify over-privileged skills with broken privacy policies. We collect 199,295 Alexa skills and uncover that around 43% of the skills (and 50% of the developers) that request these permissions follow bad privacy practices, including (partially) broken data permissions traceability. In order to perform this kind of analysis at scale, we present SkillVet that leverages machine learning and natural language processing techniques, and generates high-accuracy prediction sets. We report a number of concerning practices including how developers can bypass Alexa's permission system through account linking and conversational skills, and offer recommendations on how to improve transparency, privacy and security. Resulting from the responsible disclosure we have conducted,13% of the reported issues no longer pose a threat at submission time.

CORE (COnnecting REpositories)