Feeds

Amazon API crackdown neuters book apps

New keys to the etail kingdom

High performance access to file storage

Following a change in the Amazon.com API, downloadable applications that rely on the etail giant for product data are experiencing a kind of Amazonian impotence.

Nathaniel Elam, a Linux user from New London, Connecticut, recently encountered the problem with his copy of Tellico, a tool that keeps a digital catalog of his CDs, LPs, videos, and other collectibles. The open source app is designed to automatically pull titles, track names, cast lists, images, and other data from various websites, but two weeks back, Elam's copy suddenly quit working with the world's largest etailer.

Then Elam noticed a similar problem with an aging Windows app known as Album Art Aggregator, which provided cover art for his collection of ripped CDs. And after a quick web search, he turned up issues with several other Linux apps, including Amarok, a music player for the KDE Linux desktop interface, and Rhythmbox, a music-management app for the GNOME destktop.

As it turns out, all are victims of a recent change to the Amazon.com data API. On August 15, Amazon began rejecting API requests that weren't signed with a secret access key. In the past, Amazon required a key from each application, but this was a key that could potentially be picked up and applied to any other tool - a particular danger with open source apps. Now, in an effort to maintain tighter control over use of the API, Amazon is requiring signed authentication.

"We are requiring that all calls to the Product Advertising API be signed in order to help us prevent unauthorized and improper uses of the API," reads an Amazon FAQ. "Signed requests will help developers protect the security of their access identifiers and will help prevent others from using their access identifiers to make unauthorized calls to the API."

This means that a separate key is required for each installation of an application. With a web-based app, each user is tapping into the same, centrally-located tool, so the developer can request and apply a single key for all users. But with a downloadable desktop app, each user needs their own key. The developer must tweak the app to accept the key and either distribute keys or have users apply their own keys by way of a free Amazon Web Services account.

The end result is that using desktop apps with the API is a bit more complicated. And existing apps - like Elam's version of Tellico - are on the fritz.

"Before, Tellico - as an application - had a unique access key. So every search that came from Tellico had the same key. It was hard-coded in the source. Some other application could have used the same key, since it was pretty much public, though," Robby Stephenson, the app's developer, tells The Reg. "Now, the new scheme requires each user to have a separate key that is kept private."

Like other developers, Stephenson was first notified of the change in May, and he received regular notifications from Amazon until the change was made in mid-August.

Stephenson has tweaked the new version of his downloadable app to use the private keys, but he has no intention of updating older versions that work with older interfaces. "The Amazon searching no longer works for any version of Tellico released for KDE3," he recently told his users. "I don't plan to try to backport that support, either. Sorry, folks. You'll just have to use a different search source."

Similarly, two other book-cataloging apps - the Mac-based Books for MacOS X and the GNOME-based Alexandria - have been updated to accommodate Amazon's change, and new downloads are required.

What exactly is Amazon trying to crack down on? It's unclear. The company did not respond to specific questions about the API change, merely pointing us to that online FAQ. But it's worth noting that Amazon has also changed the name of the API, dropping the "Amazon Associates Web Service" moniker in favor of "Product Advertising API."

The company's terms of service say that the API can only be used by applications that "have the principal purpose of advertising and marketing the Amazon Site and driving sales of products and services on the Amazon Site." But the terms have always read this way. And the new setup hardly seems like the best means of severing ties with product cataloging apps along the lines of Tellico and Books for MacOS X. But it has certainly made their lives a more difficult. ®

High performance access to file storage

More from The Register

next story
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.