Do Users Really Know Alexa? Understanding Alexa Skill Security Indicators

Abstract

Amazon Alexa’s booming third-party skill market has grown from 160 to 100,000 skills within three years. In this work, we make the first effort in demystifying the Alexa skill permission system by studying its security indicators. Our user study results show that most of the surveyed Alexa users did not understand the security implications of interacting with third parties via Alexa’s voice user interface (VUI). Despite the potential risks of undesired resource sharing, more than two-thirds of the surveyed Alexa users considered third-party skills safe because they think these skills are Alexa- or Amazon-owned applications. Together with other uncovered deficiencies of skill security indicator designs, our study indicates a pressing need for a paradigm shift in designing security indicators for VUI systems.