SkillVet: Automated Traceability Analysis of Amazon Alexa Skills

Skills, are essential components in Smart Personal Assistants (SPA). The number of skills has grown rapidly, dominated by a changing environment that no clear business model. Skills can access personal information and this may pose risk to users. However, there is little about how ecosystem works, let alone the tools facilitate its study. In article, we present largest systematic measurement Amazon Alexa skill date. We study developers’ practices ecosystem, including they collect justify need for sensitive information, designing methodology identify over-privileged with broken privacy policies. 199,295 uncover around 43% (and 50% developers) request these permissions follow bad practices, (partially) data traceability. order perform kind analysis at scale, SkillVet leverages machine learning natural language processing techniques, generates high-accuracy prediction sets. report several concerning developers bypass Alexa's permission system through account linking conversational skills, offer recommendations on improve transparency, security. Resulting from responsible disclosure did, 13% reported issues longer threat submission time.