1.6. The Company MUST implement and share with Amazon a security response plan that describes how the Company will proceed in the event of a security incident, when the Company communicates with Amazon about an incident and the estimated timelines for resolving an incident. As a registered developer, you can access additional security requirements in AVS Developer Console. For more information about these requirements, see AVS Security Requirements. The following table lists the AMA hardware requirements for a Push-to-Talk (PTT) or Wake Word compatible device with custom implementation and OPUS codec support (v1.1.4). Specifications vary by device depending on chipset, codec support, and implementation. Device-specific custom algorithms also affect specifications. If your product implements a major software update, such as an operating system upgrade or Alexa Communications integration, you will need to submit a security reassessment report. Work with one of the authorized security labs to retest your product against current safety requirements, and then provide a re-evaluation report. Ask your Amazon representative or E-Mail-avs-security@amazon.com for more details on the security reassessment process.
For a list of test lab options, see Accredited Safety Labs. 1.7. The Company MUST PROVIDE A report by an independent security expert or certified security specialist who has conducted a thorough review of the security of the Device. 1.5. The Company PUBLISHES on its public website information in English and other appropriate languages about the Vulnerability Reporting Program (VRP) and how security researchers can submit vulnerability reports of their devices. It is important that you protect the data that comes and goes between the client and the server, as it can be your client`s personal data. For example, there are Alexa skills that allow a user to talk to their bank, so the display on your device may contain personal information related to a user`s bank account. Your device can also stream videos from home security cameras. The end user of your device must be able to trust that the information they see on the device is from Alexa. Alexa must trust that your device`s screen input comes directly from the user. Commercially distributed devices must meet the following minimum safety requirements.
The Amazon Developer Services agreement requires developers to implement all reasonable security measures to prevent unauthorized access to the Alexa Voice Service (AVS). Your Bluetooth-enabled accessory must support AMA transport and control protocols, including the following requirements: Certain types of skills, including financial skills and capabilities that allow purchases over $100, must give the customer the ability to set up a voice code. The language code must meet the following requirements: Review your hardware selection with the AVS security team to ensure that your architecture meets the AVS security requirements. Amazon has updated the minimum security requirements for devices that use Alexa Voice Service (AVS). The new rules define what manufacturers must include in their products to access the Alexa voice assistant. The updates include the first combination of all AVS SDKs, including Alexa Smart Screen and Alexa Auto. Review the AVS Security Requirements Admission Form with your Amazon developer account whitelisted and make sure your device meets the SoC/chipset security requirements outlined in the inclusion form. Before starting the product development process, consult the AVS security requirements inclusion form. You can find this form in the Developer Resources tab of the AVS Developer Console.
This inclusion form contains a complete list of applicable safety requirements that you must meet based on the device category of your product. The Smart Screen SDK is based on the AVS Device SDK. Devices commercially distributed with the Smart Screen SDK must meet all security requirements for the AVS Device SDK and the requirements described below. The Smart Screen SDK introduces interprocess communication (IPC) between a new client display process and the server SDK process. In addition to client-server communication, the client also communicates visually with the user, and the server communicates with the AVS APIs on Amazon servers and manages the Alexa status. Both the client and the server are “Amazon software”. You must protect Amazon software in accordance with the following requirements. The Alexa Developer Services Agreement requires developers to implement all appropriate security measures when developing Alexa built-in devices. Your device must meet the following minimum system requirements for AMA integration. The new safety rules will come in two waves. The first movement will come into force on August 1 of this year, followed by the second movement a year later. To improve the security of Alexa devices, Amazon has established a mix of hardware and software requirements, as well as new guidelines for verifying and maintaining security.
On the product side, future AVS products will require a combination of security features such as secure boot and secure key storage, as well as hardware cryptographic engines and account segregation. All of these make it difficult for an unauthorized user to target or collect data from a device. Wake Word, AFE, and other front-end algorithms affect the additional hardware requirements for the DSP, depending on their size and implementation. During the self-test, use the downloadable checklists provided by Amazon. Amazon`s testing team has designed each checklist to ensure your product meets all AVS requirements. Checklists cover function, user experience (UX), security, acoustic, and music self-tests. Test your product thoroughly with your own quality assurance before you start self-testing. However, if unknown software can run in the browser, the client certificate is available for any browser software.