Security Testing for an Alexa Skill
To protect customer data, the cloud-based service for your skill must meet Amazon's security requirements. The specific requirements depend on whether you are hosting using AWS Lambda or your own endpoint. AWS Lambda is a service offering by Amazon Web Services.
- 2.1. Skills Hosted as Lambda functions
- 2.2. Skills hosted as web services on your own endpoint
- 2.3. Skills with Account Linking
- 2.4. Skills that allow unlocking or disarming
- 2.5 Privacy requirements
- 2.6 Voice code requirements
- Related topics
2.1. Skills Hosted as Lambda functions
Your Lambda function must ensure that requests are intended for your service, as discussed in Verify that the request came from your skill.
2.2. Skills hosted as web services on your own endpoint
- The web service must present a valid, trusted certificate when the connection is established and must possess the corresponding private key. Amazon only trusts certificates that have been signed by an Amazon-approved certificate authority.
- Self-signed certificates cannot be used for published skills.
The service must verify that incoming requests were sent by the Alexa service. You can do this by validating the request signature as discussed in Verify that the request was sent by Alexa.
Note: the Java library provided with the Alexa Skills Kit provides a
disableRequestSignatureflag in the
SpeechletServletclass that you can use for testing. If you used this while testing, be sure to set it back to
falsewhen you are ready to submit for certification.
- The service must ensure that incoming requests are intended for your service, as discussed in Verify that the request came from your skill.
2.3. Skills with Account Linking
If your skill needs to connect the identity of the end user with a user in another system (account linking), please verify that your skill follows all the instructions defined in one of the following:
When submitting your skill, be sure to provide a valid set of account credentials with your testing instructions so our certification team can verify the account linking and functionality of your skill. Your skill must also pass the following account linking criteria:
- The skill must use Amazon's account linking feature by redirecting the user to a login page or landing page when enabling the skill with the Alexa app.
- If you are the owner of the credential system, your skill must pass the following criteria:
- You must own the domain that presents the login page.
- The main domain URL of the login page must reflect your brand, skill, or developer name. In other words, if the URL for your skill is https://www.example.com/xyz, the example.com portion of the URL must reflect the brand, skill, or developer name.
- The login page must indicate your brand, skill, or developer name in the form of text or an icon.
- The login page must be served over HTTPS.
- If you are not the owner of the credential system, your skill must pass the following criteria:
- You must own the landing page that users are directed to when enabling your skill. This landing page must clearly communicate which third-party (3P) accounts are needed to link the account to the skill.
- The landing page must direct the user to the domain login page owned by the OAuth providers and must be served over HTTPS.
- You may not directly handle, store, or transmit credentials on behalf of the user.
- If you are using Login with Amazon, your skill must pass the following criteria:
Tip: For a detailed walk-through for using Login with Amazon with the Alexa Skills Kit, see 5 Steps to Seamlessly Link Your Alexa Skill with Login with Amazon.
- The login page URL must be from
amazon.comand the page must be served over HTTPS.
- The login page must clearly communicate which third-party (3P) accounts are needed to link the account to the skill.
- The login page URL must be from
- For a custom skill, the skill returns the
LinkAccountcard if a user invokes an intent that requires authorization, but has not yet linked their account.
2.4. Skills that allow unlocking or disarming
If your skill lets the user unlock or disarm a device, you must require the user to set up a voice code of at least four digits before using that functionality. However, after the user has established a voice code, you may provide an opt-out option. For customers who do not set up a voice code, you can also provide the customer with reduced functionality of your skill.
Enable the skill and complete the account linking process. Ensure that the account linking flow includes setting a voice code to access unlock functionality and the voice code meets the security requirements.
If the skill offers reduced functionality when no voice code is set, disable the skill or log in to the Alexa app as an Alexa user who has not yet enabled the skill. Enable the skill, but do not set the voice code or opt out of the voice code requirement when prompted. Attempt to invoke the intents that let the user unlock or disarm a device.
Invoke each intent that lets a user unlock or disarm a device without opting out of the voice code.
Each request to unlock or disarm a device asks the user to speak the voice code.
Invoke each intent that lets a user unlock or disarm a device. When prompted for the voice code, speak an incorrect voice code. Provide an incorrect voice code at least three times.
2.5 Privacy requirements
The skill must not:
- Contain references to or include malicious hacking, such as phishing or Trojans. This includes rooting a device or circumventing Amazon's or any developer's digital rights management (DRM) software.
- Contain references to or include malicious user spying or tracking, including stalking, in the skill or skill metadata.
- Misuse customer personally identifiable information or sensitive personal information.
Collect personal information from end users without doing all of the following:
(i) provide a legally adequate privacy notice that will be displayed to end users on your skill's detail page,
(ii) use the information in a way that end users have consented to,
(iii) ensure that your collection and use of that information complies with your privacy notice and all applicable laws, and
(iv) collect and use the data only if it is required to support and improve the features and services your skill provides.
Examples of personal information include, but are not limited to: full name, home address, email address, date of birth, and telephone number.
- Collect via voice or recite sensitive personal identifiable information, including, but not limited to, passport number, social security number, national identity number, full bank account number, or full credit/debit card number (or the equivalent in different locales).
- Recite any of the following information without giving the user an option to set up a four-digit security voice code during the account linking process: (i) driver’s license number, (ii) vehicle registration number, and (iii) insurance policy number.
- Recite publicly available information about individuals other than the skill user without including the source of the information in the skill description.
2.6 Voice code requirements
Certain types of skills, including financial skills and skills that allow purchases over $100, must give the customer an opportunity to set up a voice code. The voice code must comply with the following requirements:
- The customer must have an opportunity to create the voice code during the account linking flow. The account linking page must include a reminder that it is a best practice to set a different voice code than the code used for other accounts or services.
- The voice code must consist of at least four digits.
- The customer must be required to provide the voice code in every new skill session before any transaction is completed and before any sensitive customer information is recited.
- After three consecutive incorrect voice code attempts, the skill must require that the customer re-link their account and create a new voice code.
- The skill must allow the customer to ask questions like “lost voice code,” “forgot my voice code,” or “don’t have a voice code” and respond by voice and home card with the information about how to reset the voice code.
- The voice code must not at any time be displayed on home cards or screens.