Skill #2 (find my iPhone) Rejected for lack of OAuth. Bummer. :(
After several discussions with Amazon, my "[b]Find My Phone[/b]" skill has been rejected. It used Account Linking to capture the user's iCloud userID and password. When the skill was activated, it logged into iCloud and triggered the "Find my iPhone" alert, which is far better than just calling the phone, for example. The tone is loud and plays even if the phone is muted, and doesn't go to voice mail. It is [b]by far the most useful Alexa skill that I've created[/b]. My wife uses it 5 times a day because she loses her phone so often! The reason the skill was rejected is because I am capturing and storing the user's iCloud credentials. Apparently this is not allowed, though that is not written anywhere. [b]It sounds like they are moving to only supporting 3rd party logins that support OAuth[/b]. Any kind of pass-thru authentication will not be allowed in skills. This renders my skill impossible to implement (iCloud does not support OAuth). This is really a bummer, since it's my second skill that was rejected for reasons that are not published anywhere. I realize they are making this up as they go along, but for me it's gotten to the point where I truly can't keep working on useful skills just to have them rejected at certification stage for breaking rules I didn't know exist. If anyone is interested, I'll make my "find my iphone" skill available as a stand-alone skill that any other developer can manually add and use. It wouldn't appear in the Skills list, but you could still use it as I do.
i need this activation code. apple can not provide this code. Apple doesn't provide an iCloud OAuth service you can use because I'm sure Find my iPhone would be a very highly rated skill and an essential must-have for most people like me :)
> I am interested in the code, have you made it freely > available? Thanks!! Matt Kruse stopped developing for Alexa a couple months ago (so he's likely not reading this), but he lists his contact info on his github page:
https://github.com/matt-kruse. Also, his find my iphone Node.js stuff is publicly available at that link, but it lacks the Alexa intents and utterances. I'm sure you could recreate those pretty easily, though.
I as well have been doing this with ease using IFTTT. I think that is a much better option than capturing thousands of peoples icloud login information. I stand with Amazon on this. The skill is redundant and opens pandora's box to some really nasty folks, using their platform to to some very nasty things. I am not saying you are one of these poeple, at all. That being said, allowing skills to collect information like that is a bad idea across the board. I would have denied your skill as well.
"If anyone is interested, I'll make my "find my iphone" skill available as a stand-alone skill that any other developer can manually add and use." I am interested in the code, have you made it freely available? Thanks!!
Calling the phone is not a good option. You can already do that with IFTTT. And I think there is a call my phone skill already? Calling the phone is far less useful than triggering the Find My iPhone functionality, which is why I created the latter.
I was thinking (yeah, that's often dangerous) - but what about using the Twilio API to call a lost phone? That way, you can open your skill up to *any* phone Android, iPhone, etc.? During the account linking process, you could ask the skill user to provide their phone number and then call that when they invoke your skill. Just send a confirmation SMS to the number, have the user plug that into the skill (via the account linking page) and you'll also be able to confirm the user's number is legit. Ok, so it won't work if the phone is set to forward all calls to voicemail, etc. but it could be one way around the lack of Apple OAuth support.
I think it's more of a case that your skill is breaking Apple's own policies around asking for their iCloud user's credentials, and so if Amazon pass your skill, they are knowingly allowing you to put these users at risk should your password storage get exposed. I'm sure that even Apple doesn't store iCloud user passwords :)
> 3) Is it really Amazon's business to police whether
> users are safely using 3rd-party services?
This is one of the broken aspects of Amazon's current certification process. They get deep down and persnickety over aspects of a skill that the developer could change 30 seconds after certification. What is the point in a requirement that you can only enforce during certification time? They would be far better off adopting an approach like Google Play or the iPhone store where they concentrate on making sure you don't have an application that will crash their device. Other than that, the gates are open.
There are some legal issues around personally identifiable information, that they might still have to pay attention to. But the sort of things they are trying to enforce just make more work for their team and us developers, with no real benefit to the users.
> your skill should absolutely be rejected as you are putting iCloud users at risk 1) I make it very clear to users during the account linking stage that I am using their login/pass for pass-thru authentication. They can decide whether or not to accept that "risk". 2) The credentials are stored in the Amazon infrastructure, which I assume is quite secure, relative to most other places 3) Is it really Amazon's business to police whether users are safely using 3rd-party services? What next, they reject a skill because the 3rd party service doesn't use reliable backup? Where does Amazon's policing end, and the burden placed on the user or skill? I am going to try an alternative way to launch the skill, using IFTTT. Then users could just say "Alexa, trigger my phone". But it's not as easy, and doesn't let the user select which phone to alert if there are multiple.
Apologies if I've misunderstood, but if you are storing the actual iCloud username and password, and then feeding them into the Apple service, then your skill should absolutely be rejected as you are putting iCloud users at risk. It's a shame Apple doesn't provide an iCloud OAuth service you can use because I'm sure Find my iPhone would be a very highly rated skill and an essential must-have for most people like me :)