Alexa, Who Am I Speaking To? Understanding Users' Ability to Identify Third-Party Apps on Amazon Alexa

TL;DR

This study reveals that users often confuse third-party Alexa skills with native functions, leading to security risks, and offers design recommendations to improve user understanding and safety.

Contribution

It uncovers user misconceptions about Alexa skills and proposes design solutions to distinguish native and third-party functionalities.

Findings

Users do not understand third-party skills are operated by third parties.

Frequent Alexa users are more likely to mistake third-party skills for native functions.

Misunderstandings pose security and privacy risks.

Abstract

Many Internet of Things (IoT) devices have voice user interfaces (VUIs). One of the most popular VUIs is Amazon's Alexa, which supports more than 47,000 third-party applications ("skills"). We study how Alexa's integration of these skills may confuse users. Our survey of 237 participants found that users do not understand that skills are often operated by third parties, that they often confuse third-party skills with native Alexa functions, and that they are unaware of the functions that the native Alexa system supports. Surprisingly, users who interact with Alexa more frequently are more likely to conclude that a third-party skill is native Alexa functionality. The potential for misunderstanding creates new security and privacy risks: attackers can develop third-party skills that operate without users' knowledge or masquerade as native Alexa functions. To mitigate this threat, we make design recommendations to help users distinguish native and third-party skills.