Security Testing for an Alexa Skill

To protect customer data, the cloud-based service for your skill must meet Amazon's security requirements. The specific requirements depend on whether you are hosting using AWS Lambda or your own endpoint. AWS Lambda is a service offering by Amazon Web Services.

2.1. Skills Hosted as Lambda Functions

Your Lambda function must ensure that requests are intended for your service, as discussed in the "Verifying that the Request is Intended for Your Service" section of Handling Requests Sent by Alexa.

2.2. Skills Hosted as Web Services on Your Own Endpoint

  • The web service must present a valid, trusted certificate when the connection is established and must possess the corresponding private key. Amazon only trusts certificates that have been signed by an Amazon-approved certificate authority.
  • Self-signed certificates cannot be used for published skills.
  • The service must verify that incoming requests were sent by the Alexa service. You can do this by validating the request signature as discussed in the "Verifying that the Request was Sent by Alexa" section of Hosting a Custom Skill as a Web Service.

    Note: the Java library provided with the Alexa Skills Kit provides a disableRequestSignature flag in the SpeechletServlet class that you can use for testing. If you used this while testing, be sure to set it back to false when you are ready to submit for certification.

  • The service must ensure that incoming requests are intended for your service, as discussed in the "Verifying that the Request is Intended for Your Service" section of Handling Requests Sent by Alexa.

2.3. Skills with Account Linking

If your skill needs to connect the identity of the end user with a user in another system (account linking), please verify that your skill follows all the instructions defined in one of the following:

When submitting your skill, be sure to provide a valid set of account credentials with your testing instructions so our certification team can verify the account linking and functionality of your skill. Your skill must also pass the following account linking criteria:

  • The skill must use Amazon's account linking feature by redirecting the user to a login page or landing page when enabling the skill with the Alexa app.
  • The skill's privacy policy and terms of use links displayed in the Alexa app must each open to a valid web page.
  • If you are the owner of the credential system, your skill must pass the following criteria:
    • You must own the domain presenting the login page.
    • The login page must be served over HTTPS.
  • If you are not the owner of the credential system, your skill must pass the following criteria:
    • You must own the landing page that users are directed to when enabling your skill. This landing page must clearly communicate which third-party (3P) accounts are needed to link the account to the skill.
    • The landing page must direct the user to the domain login page owned by the OAuth providers and must be served over HTTPS.
    • You may not directly handle, store, or transmit credentials on behalf of the user.
  • If you are using Login with Amazon, your skill must pass the following criteria:
    • The login page URL must be from amazon.com and the page must be served over HTTPS.
    • The login page must clearly communicate which third-party (3P) accounts are needed to link the account to the skill.
    • You must clearly state the customer information your skill is collecting and using. This can be directly on the login page or in your privacy policy.
  • For a custom skill, the skill returns the LinkAccount card if a user invokes an intent that requires authorization, but has not yet linked their account.

2.4. Skills that Allow Unlocking or Disarming

If your skill lets the user unlock or disarm a device, you must provide the user with an option to set up a voice code of at least four digits that can be used before executing the unlock / disarm action. You may provide customers with an option to opt out of the voice code requirements, if you would like. Without an established voice code, you can provide the customer with reduced functionality of your skill.

Test Expected Results

1.

Enable the skill and complete the account linking process. Ensure that the account linking flow includes setting a voice code to access unlock functionality and the voice code meets the security requirements.

  • The voice code must be at least four digits long.
  • The flow should remind the user to reset the voice code every 60 days.

2.

If the skill offers reduced functionality when no voice code is set, disable the skill or log in to the Alexa app as an Alexa user who has not yet enabled the skill. Enable the skill, but do not set the voice code or opt out of the voice code requirement when prompted. Attempt to invoke the intents that let the user unlock or disarm a device.

  • The requests to unlock or disarm the device are not executed. The user is instructed to set a voice code to use these features.
  • Features other than unlock/disarm do work normally without the voice code

3.

Invoke each intent that lets a user unlock or disarm a device without opting out of the voice code.

Each request to unlock or disarm a device asks the user to speak the voice code.

4.

Invoke each intent that lets a user unlock or disarm a device. When prompted for the voice code, speak an incorrect voice code. Provide an incorrect voice code at least three times.

  • The skill rejects the incorrect voice code and does not complete the unlock or disarm request.
  • After three consecutive incorrect voice code attempts, the skill instructs you to reset your voice code. Attempting a fourth request with the original, correct voice code now fails

2.5 Privacy Requirements

The skill must not:

  1. Contain references to or include malicious hacking, such as phishing or Trojans. This includes rooting a device or circumventing Amazon's or any developer's digital rights management (DRM) software.
  2. Contain references to or include malicious user spying or tracking, including stalking, in the skill or skill metadata.
  3. Misuse customer personally identifiable information or sensitive personal information.
  4. Collect personal information from end users without doing all of the following: (i) provide notice of that data collection to end users in your skill's detail page,
    (ii) use the information in a way that end users have consented to, and
    (iii) ensure that your collection and use of that information complies with your privacy notice and all applicable laws.

    Prior to submitting a skill that collects personal information from end users, you are required to supply a privacy policy that will be displayed to end users on your skill's detail page in the Alexa App.