question

My "Find my Phone" skill (the most useful function of our Echo so far, by far) was rejected. I use Account Linking to capture the user's iCloud userID and password, then store them encrypted in my database, because iCloud does not support OAuth. I then use pass-thru authentication to trigger the iPhone's "Find my iPhone" alarm. After internal discussions, Amazon decided that this wasn't allowed, and wrote up new rules about Account Linking. I'm not sure if they are published anywhere yet. It would have been nice to know these rules up-front, of course, because I wouldn't have wasted 20 hours developing this skill. Here is their response to my certification rejection, just FYI. There's nothing private here, so I don't think I'm violating Amazon's privacy by publishing an email that might be useful to others here: Hello Matt, Thank you for submitting your skill, Find My Phone and all of your development efforts with Alexa skills. As communicated by Michelle Abrahams before the holidays, we cannot allow the storage of user credentials by third parties for account linking purposes. Below, we’ve listed our minimal security requirements for account linking. Specifically, the skill Find My Phone does not meet requirement #4 from our guidelines. Minimal Security Requirement Guidelines: (1) Skills that require connecting the identity of the customer with a user in another system, must use the Alexa Account Linking functionality (2) Skill providers must serve a login page over HTTPS (3) Skill providers must be the owner of the domain presenting the login page (4) Skill providers can be the owner of the credential system OR can link to other OAuth providers. We very much appreciate your patience with our process and we assure you that we will be publishing the guidelines above for transparency in the future. Regards, The Alexa Skills Team