Google Assistant
We conducted a few experiments on Google Assistant platform as well. While Google does do a better job in the certification process based on our preliminary measurement, it is still not perfect and it does have potentially exploitable flaws that need to be tested more in the future.
In total, we submitted 273 policy-violating actions that are required by Amazon/Google, and observe if they can pass the certification. As a result, 116 of them got approved. We submitted 85 actions for kids and got 15 approved; for other categories, 101 actions approved among 188 acitons. The content policy guidelines stated by Google can be found here.
A notable difference between the two is that Google requires an action-specific privacy policy for every action whereas Amazon requires developers to provide a developer privacy policy only when the skill explicitly states that it collects personal data. For other skills, it is not mandatory to provide one.
For the entire collection of malicious skills please visit our youtube channel.
Here are some of examples of approved actions:
This Google action violates 2.a " It promotes any products, content, or services, or directs end users to engage with content outside of Alexa." and 2.f "Actions must not contain ads, including in streaming media.". This action was certified and published in the kids' category of the Google action store.
This Google action violates 2.e "It includes content not suitable for all ages." and 10.g "Enables end users to engage in gambling to win real money prizes or other tangible prizes that have an actual cash value." This action was certified and published in the kids' category of the Google action store.
This Google action violates 2.e "It includes content not suitable for all ages." and 10.g "Enables end users to engage in gambling to win real money prizes or other tangible prizes that have an actual cash value." This action was certified and published in the kids' category of the Google action store.
Here is an example of how to bypass the certification and change the action content after certification. This action uses the "sys.any" to get any type of user input. While action code can be changed in inline editor after action approved, the action content can be changed to get any data from user. In this video, we changed action from getting user's favorite color to getting user's name.
Actions for Families/Kids
Actions for families is Google’s program for family-friendly actions that engage the whole family. We submitted 85 actions that violate policy guidelines specific to actions intended for children. While 70 of these actions were rejected, 15 actions did pass the certification. From our experiment results, we could infer that Google has a strict certification procedure for actions for families.
Bypassing Certification
Several methods can be user to bypass the certification system. First we added the malicious response to a large number of possible responses so that the certification team would not encounter it by limited voice checking. The second method we used to bypass the certification stage was to ask for personal information indirectly. Rather than asking a user his/her name or age directly we could use a simple math trick that allows us to infer the age or casually add a "What should we call you?" at the later stages of an action’s functionality.
Inconsistency of Certification
We noticed that there were a lot of inconsistencies (same as in Amazon Alexa) in the feedback provided by the certification team after the submission of actions. In some cases, the action failed in certification while in others the same action passed certification even though there was no change. In some other cases, the actions were rejected citing different reasons.
Dynamic Testing
Only 76 actions were available in the families/kids category of Google Assistant platform as of April 2020. We performed a dynamic testing on all these actions. We found one problematic action called "Smallfoot" that asks the user’s name. In addition, the URL provided as the action’s privacy policy does not lead to a webpage that contains a privacy policy but rather to a page advertising the company’s products.
Post-Certification Vulnerability
The back-end of an action can be updated after the certification and this will not require a re-certification to be made available in the production version. The entity sys.any can be used to store all kinds of data. By changing the content of the question in the back-end after certification, an action that uses this entity can collect any kind of information including personal information from the response provided by users. The upper example action "songer test" (4st video) realized this kind of function.
Feedback Time for Certification
For skill submissions, in most cases, we received the certification feedback within 24 hours. The certification process of Google actions took varying amounts of time. For submissions in 2019, most certification results were received within 1-2 days. However, for our recent submissions from February to April 2020, the certification feedback was received much faster. The average time is about 1 hour and about 10% of actions took less than 10 minutes to get a feedback.
We also find that in most cases, feedback emails we received from Amazon had timestamps between 11:40pm and 8:37am EST while Google actions were received between 10:51am and 1:19am EST (most 8:am to 7:00pm PST). This indicates that the Google certification team possibly works based on the US timezone, as opposed to the Alexa’s certification team.
Continue reading..
Read our other sections
COPPA Compliance
It is possible that the third-party skills in Amazon Alexa suffers the legal risk of violating the Children’s Online Privacy Protection Act (COPPA) rules. . As demonstrated by our experiments, developers can certify skills that collect personal information from children without satisfying or honoring any of the requirements set forth by the FTC.
Learn MoreExperiment Setup
We performed “adversarial” experiments against the skill certification process of the Amazon Alexa platform. For testing the trustworthiness, we craft 132 policy-violating skills that intentionally violate specific policies defined by Amazon, and examine if it gets certified and published to the store or not.
Learn MoreExperiment Results
Our results showed strong evidence that Alexa's skill certification process is implemented in a disorganized manner. We were able to publish all 132 skills that we submitted although some of them required a resubmission.
Learn More