An Empirical Study on Oculus Virtual Reality Applications: Security and Privacy Perspectives

Hanyang Guo, Hong-Ning Dai*, Xiapu Luo, Zibin Zheng, Gengyang Xu, Fengliang He

*Corresponding author for this work

Research output: Chapter in book/report/conference proceedingConference proceedingpeer-review

Abstract

Although Virtual Reality (VR) has accelerated its prevalent adoption in emerging metaverse applications, it is not a fundamentally new technology. On one hand, most VR operating systems (OS) are based on off-the-shelf mobile OS (e.g., Android). As a result, VR apps also inherit privacy and security deficiencies from conventional mobile apps. On the other hand, in contrast to conventional mobile apps, VR apps can achieve immersive experience via diverse VR devices, such as head-mounted displays, body sensors, and controllers though achieving this requires the extensive collection of privacy-sensitive human biometrics (e.g., hand-tracking and face-tracking data). Moreover, VR apps have been typically implemented by 3D gaming engines (e.g., Unity), which also contain intrinsic security vulnerabilities. Inappropriate use of these technologies may incur privacy leaks and security vulnerabilities although these issues have not received significant attention compared to the proliferation of diverse VR apps. In this paper, we develop a security and privacy assessment tool, namely the VR-SP detector for VR apps. The VR-SP detector has integrated program static analysis tools and privacy-policy analysis methods. Using the VR-SP detector, we conduct a comprehensive empirical study on 500 popular VR apps. We obtain the original apps from the popular Oculus and SideQuest app stores and extract APK files via the Meta Oculus Quest 2 device. We evaluate security vulnerabilities and privacy data leaks of these VR apps by VR app analysis, taint analysis, and privacy-policy analysis. We find that a number of security vulnerabilities and privacy leaks widely exist in VR apps. Moreover, our results also reveal conflicting representations in the privacy policies of these apps and inconsistencies of the actual data collection with the privacy-policy statements of the apps. Based on these findings, we make suggestions for the future development of VR apps.
Original languageEnglish
Title of host publicationICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Pages1-13
Number of pages13
ISBN (Electronic)9798400702174
ISBN (Print)9798400702174
DOIs
Publication statusPublished - 20 May 2024
Event2024 IEEE/ACM 46th International Conference on Software Engineering (ISCE) - Lisbon, Portugal
Duration: 14 Apr 202420 Apr 2024
https://dl.acm.org/doi/proceedings/10.1145/3597503 (Conference proceeding)
https://conf.researchr.org/home/icse-2024 (Conference website)

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Conference

Conference2024 IEEE/ACM 46th International Conference on Software Engineering (ISCE)
Country/TerritoryPortugal
CityLisbon
Period14/04/2420/04/24
Internet address

Scopus Subject Areas

  • Software

User-Defined Keywords

  • Metaverse
  • Security and Privacy
  • Static Analysis
  • virtual reality
  • Virtual Reality

Fingerprint

Dive into the research topics of 'An Empirical Study on Oculus Virtual Reality Applications: Security and Privacy Perspectives'. Together they form a unique fingerprint.

Cite this