Google Assistant

We conducted a few experiments on Google Assistant platform as well. While Google does do a better job in the certification process based on our preliminary measurement, it is still not perfect and it does have potentially exploitable flaws that need to be tested more in the future.

In total, we submitted 273 policy-violating actions that are required by Amazon/Google, and observe if they can pass the certification. As a result, 116 of them got approved. We submitted 85 actions for kids and got 15 approved; for other categories, 101 actions approved among 188 acitons. The content policy guidelines stated by Google can be found here.

A notable difference between the two is that Google requires an action-specific privacy policy for every action whereas Amazon requires developers to provide a developer privacy policy only when the skill explicitly states that it collects personal data. For other skills, it is not mandatory to provide one.

For the entire collection of malicious skills please visit our youtube channel.

Here are some of examples of approved actions:

Actions for Families/Kids

Actions for families is Google’s program for family-friendly actions that engage the whole family. We submitted 85 actions that violate policy guidelines specific to actions intended for children. While 70 of these actions were rejected, 15 actions did pass the certification. From our experiment results, we could infer that Google has a strict certification procedure for actions for families.

Bypassing Certification

Several methods can be user to bypass the certification system. First we added the malicious response to a large number of possible responses so that the certification team would not encounter it by limited voice checking. The second method we used to bypass the certification stage was to ask for personal information indirectly. Rather than asking a user his/her name or age directly we could use a simple math trick that allows us to infer the age or casually add a "What should we call you?" at the later stages of an action’s functionality.

Inconsistency of Certification

We noticed that there were a lot of inconsistencies (same as in Amazon Alexa) in the feedback provided by the certification team after the submission of actions. In some cases, the action failed in certification while in others the same action passed certification even though there was no change. In some other cases, the actions were rejected citing different reasons.

Dynamic Testing

Only 76 actions were available in the families/kids category of Google Assistant platform as of April 2020. We performed a dynamic testing on all these actions. We found one problematic action called "Smallfoot" that asks the user’s name. In addition, the URL provided as the action’s privacy policy does not lead to a webpage that contains a privacy policy but rather to a page advertising the company’s products.

Post-Certification Vulnerability

The back-end of an action can be updated after the certification and this will not require a re-certification to be made available in the production version. The entity sys.any can be used to store all kinds of data. By changing the content of the question in the back-end after certification, an action that uses this entity can collect any kind of information including personal information from the response provided by users. The upper example action "songer test" (4st video) realized this kind of function.

Feedback Time for Certification

For skill submissions, in most cases, we received the certification feedback within 24 hours. The certification process of Google actions took varying amounts of time. For submissions in 2019, most certification results were received within 1-2 days. However, for our recent submissions from February to April 2020, the certification feedback was received much faster. The average time is about 1 hour and about 10% of actions took less than 10 minutes to get a feedback.

We also find that in most cases, feedback emails we received from Amazon had timestamps between 11:40pm and 8:37am EST while Google actions were received between 10:51am and 1:19am EST (most 8:am to 7:00pm PST). This indicates that the Google certification team possibly works based on the US timezone, as opposed to the Alexa’s certification team.