Feeds

Amazon API crackdown neuters book apps

New keys to the etail kingdom

Internet Security Threat Report 2014

Following a change in the Amazon.com API, downloadable applications that rely on the etail giant for product data are experiencing a kind of Amazonian impotence.

Nathaniel Elam, a Linux user from New London, Connecticut, recently encountered the problem with his copy of Tellico, a tool that keeps a digital catalog of his CDs, LPs, videos, and other collectibles. The open source app is designed to automatically pull titles, track names, cast lists, images, and other data from various websites, but two weeks back, Elam's copy suddenly quit working with the world's largest etailer.

Then Elam noticed a similar problem with an aging Windows app known as Album Art Aggregator, which provided cover art for his collection of ripped CDs. And after a quick web search, he turned up issues with several other Linux apps, including Amarok, a music player for the KDE Linux desktop interface, and Rhythmbox, a music-management app for the GNOME destktop.

As it turns out, all are victims of a recent change to the Amazon.com data API. On August 15, Amazon began rejecting API requests that weren't signed with a secret access key. In the past, Amazon required a key from each application, but this was a key that could potentially be picked up and applied to any other tool - a particular danger with open source apps. Now, in an effort to maintain tighter control over use of the API, Amazon is requiring signed authentication.

"We are requiring that all calls to the Product Advertising API be signed in order to help us prevent unauthorized and improper uses of the API," reads an Amazon FAQ. "Signed requests will help developers protect the security of their access identifiers and will help prevent others from using their access identifiers to make unauthorized calls to the API."

This means that a separate key is required for each installation of an application. With a web-based app, each user is tapping into the same, centrally-located tool, so the developer can request and apply a single key for all users. But with a downloadable desktop app, each user needs their own key. The developer must tweak the app to accept the key and either distribute keys or have users apply their own keys by way of a free Amazon Web Services account.

The end result is that using desktop apps with the API is a bit more complicated. And existing apps - like Elam's version of Tellico - are on the fritz.

"Before, Tellico - as an application - had a unique access key. So every search that came from Tellico had the same key. It was hard-coded in the source. Some other application could have used the same key, since it was pretty much public, though," Robby Stephenson, the app's developer, tells The Reg. "Now, the new scheme requires each user to have a separate key that is kept private."

Like other developers, Stephenson was first notified of the change in May, and he received regular notifications from Amazon until the change was made in mid-August.

Stephenson has tweaked the new version of his downloadable app to use the private keys, but he has no intention of updating older versions that work with older interfaces. "The Amazon searching no longer works for any version of Tellico released for KDE3," he recently told his users. "I don't plan to try to backport that support, either. Sorry, folks. You'll just have to use a different search source."

Similarly, two other book-cataloging apps - the Mac-based Books for MacOS X and the GNOME-based Alexandria - have been updated to accommodate Amazon's change, and new downloads are required.

What exactly is Amazon trying to crack down on? It's unclear. The company did not respond to specific questions about the API change, merely pointing us to that online FAQ. But it's worth noting that Amazon has also changed the name of the API, dropping the "Amazon Associates Web Service" moniker in favor of "Product Advertising API."

The company's terms of service say that the API can only be used by applications that "have the principal purpose of advertising and marketing the Amazon Site and driving sales of products and services on the Amazon Site." But the terms have always read this way. And the new setup hardly seems like the best means of severing ties with product cataloging apps along the lines of Tellico and Books for MacOS X. But it has certainly made their lives a more difficult. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.