-
Voice App Developer Experiences with Alexa and Google Assistant: Juggling Risks, Liability, and Security
Authors:
William Seymour,
Noura Abdi,
Kopo M. Ramokapane,
Jide Edu,
Guillermo Suarez-Tangil,
Jose Such
Abstract:
Voice applications (voice apps) are a key element in Voice Assistant ecosystems such as Amazon Alexa and Google Assistant, as they provide assistants with a wide range of capabilities that users can invoke with a voice command. Most voice apps, however, are developed by third parties - i.e., not by Amazon/Google - and they are included in the ecosystem through marketplaces akin to smartphone app s…
▽ More
Voice applications (voice apps) are a key element in Voice Assistant ecosystems such as Amazon Alexa and Google Assistant, as they provide assistants with a wide range of capabilities that users can invoke with a voice command. Most voice apps, however, are developed by third parties - i.e., not by Amazon/Google - and they are included in the ecosystem through marketplaces akin to smartphone app stores but with crucial differences, e.g., the voice app code is not hosted by the marketplace and is not run on the local device. Previous research has studied the security and privacy issues of voice apps in the wild, finding evidence of bad practices by voice app developers. However, developers' perspectives are yet to be explored.
In this paper, we report a qualitative study of the experiences of voice app developers and the challenges they face. Our findings suggest that: 1) developers face several risks due to liability pushed on to them by the more powerful voice assistant platforms, which are linked to negative privacy and security outcomes on voice assistant platforms; and 2) there are key issues around monetization, privacy, design, and testing rooted in problems with the voice app certification process. We discuss the implications of our results for voice app developers, platforms, regulators, and research on voice app development and certification.
△ Less
Submitted 15 November, 2023;
originally announced November 2023.
-
Exploring the Risks and Challenges of National Electronic Identity (NeID) System
Authors:
Jide Edu,
Mark Hooper,
Carsten Maple,
Jon Crowcroft
Abstract:
Many countries have embraced national electronic identification (NeID) systems, recognising their potential to foster a fair, transparent, and well-governed society by ensuring the secure verification of citizens' identities. The inclusive nature of NeID empowers people to exercise their rights while holding them accountable for fulfilling their obligations. Nevertheless, the development and imple…
▽ More
Many countries have embraced national electronic identification (NeID) systems, recognising their potential to foster a fair, transparent, and well-governed society by ensuring the secure verification of citizens' identities. The inclusive nature of NeID empowers people to exercise their rights while holding them accountable for fulfilling their obligations. Nevertheless, the development and implementation of these complex identity-verification systems have raised concerns regarding security, privacy, and exclusion. In this study, we discuss the different categories of NeID risk and explore the successful deployment of these systems, while examining how the specific risks and other challenges posed by this technology are addressed. Based on the review of the different NeID systems and the efforts made to mitigate the unique risks and challenges presented within each deployment, we highlighted the best practices for mitigating risk, including implementing strong security measures, conducting regular risk assessments, and involving stakeholders in the design and implementation of the system.
△ Less
Submitted 24 October, 2023;
originally announced October 2023.
-
An Impact and Risk Assessment Framework for National Electronic Identity (eID) Systems
Authors:
Jide Edu,
Mark Hooper,
Carsten Maple,
Jon Crowcroft
Abstract:
Electronic identification (eID) systems allow citizens to assert and authenticate their identities for various purposes, such as accessing government services or conducting financial transactions. These systems improve user access to rights, services, and the formal economy. As eID systems become an essential facet of national development, any failure, compromise, or misuse can be costly and damag…
▽ More
Electronic identification (eID) systems allow citizens to assert and authenticate their identities for various purposes, such as accessing government services or conducting financial transactions. These systems improve user access to rights, services, and the formal economy. As eID systems become an essential facet of national development, any failure, compromise, or misuse can be costly and damaging to the government, users, and society. Therefore, an effective risk assessment is vital for identifying emerging risks to the system and assessing their impact. However, develo** a comprehensive risk assessment for these systems must extend far beyond focusing on technical security and privacy impacts and must be conducted with a contextual understanding of stakeholders and the communities these systems serve. In this study, we posit that current risk assessments do not address risk factors for all key stakeholders and explore how potential compromise could impact them each in turn. In the examination of the broader impact of risks and the potentially significant consequences for stakeholders, we propose a framework that considers a wide range of factors, including the social, economic, and political contexts in which these systems were implemented. This provides a holistic platform for a better assessment of risk to the eID system.
△ Less
Submitted 24 October, 2023;
originally announced October 2023.
-
SkillVet: Automated Traceability Analysis of Amazon Alexa Skills
Authors:
Jide S Edu,
Xavier Ferrer-Aran,
Jose M Such,
Guillermo Suarez-Tangil
Abstract:
Third-party software, or skills, are essential components in Smart Personal Assistants (SPA). The number of skills has grown rapidly, dominated by a changing environment that has no clear business model. Skills can access personal information and this may pose a risk to users. However, there is little information about how this ecosystem works, let alone the tools that can facilitate its study. In…
▽ More
Third-party software, or skills, are essential components in Smart Personal Assistants (SPA). The number of skills has grown rapidly, dominated by a changing environment that has no clear business model. Skills can access personal information and this may pose a risk to users. However, there is little information about how this ecosystem works, let alone the tools that can facilitate its study. In this paper, we present the largest systematic measurement of the Amazon Alexa skill ecosystem to date. We study developers' practices in this ecosystem, including how they collect and justify the need for sensitive information, by designing a methodology to identify over-privileged skills with broken privacy policies. We collect 199,295 Alexa skills and uncover that around 43% of the skills (and 50% of the developers) that request these permissions follow bad privacy practices, including (partially) broken data permissions traceability. In order to perform this kind of analysis at scale, we present SkillVet that leverages machine learning and natural language processing techniques, and generates high-accuracy prediction sets. We report a number of concerning practices including how developers can bypass Alexa's permission system through account linking and conversational skills, and offer recommendations on how to improve transparency, privacy and security. Resulting from the responsible disclosure we have conducted, 13% of the reported issues no longer pose a threat at submission time.
△ Less
Submitted 14 January, 2022; v1 submitted 3 March, 2021;
originally announced March 2021.
-
Smart Home Personal Assistants: A Security and Privacy Review
Authors:
Jide S. Edu,
Jose M. Such,
Guillermo Suarez-Tangil
Abstract:
Smart Home Personal Assistants (SPA) are an emerging innovation that is changing the way in which home users interact with the technology. However, there are a number of elements that expose these systems to various risks: i) the open nature of the voice channel they use, ii) the complexity of their architecture, iii) the AI features they rely on, and iv) their use of a wide-range of underlying te…
▽ More
Smart Home Personal Assistants (SPA) are an emerging innovation that is changing the way in which home users interact with the technology. However, there are a number of elements that expose these systems to various risks: i) the open nature of the voice channel they use, ii) the complexity of their architecture, iii) the AI features they rely on, and iv) their use of a wide-range of underlying technologies. This paper presents an in-depth review of the security and privacy issues in SPA, categorizing the most important attack vectors and their countermeasures. Based on this, we discuss open research challenges that can help steer the community to tackle and address current security and privacy issues in SPA. One of our key findings is that even though the attack surface of SPA is conspicuously broad and there has been a significant amount of recent research efforts in this area, research has so far focused on a small part of the attack surface, particularly on issues related to the interaction between the user and the SPA devices. We also point out that further research is needed to tackle issues related to authorization, speech recognition or profiling, to name a few. To the best of our knowledge, this is the first article to conduct such a comprehensive review and characterization of the security and privacy issues and countermeasures of SPA.
△ Less
Submitted 17 August, 2020; v1 submitted 13 March, 2019;
originally announced March 2019.
