Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

An Empirical Study on Oculus Virtual Reality Applications: Security and Privacy Perspectives (2402.13815v1)

Published 21 Feb 2024 in cs.SE and cs.CR

Abstract: Although Virtual Reality (VR) has accelerated its prevalent adoption in emerging metaverse applications, it is not a fundamentally new technology. On one hand, most VR operating systems (OS) are based on off-the-shelf mobile OS. As a result, VR apps also inherit privacy and security deficiencies from conventional mobile apps. On the other hand, in contrast to conventional mobile apps, VR apps can achieve immersive experience via diverse VR devices, such as head-mounted displays, body sensors, and controllers though achieving this requires the extensive collection of privacy-sensitive human biometrics. Moreover, VR apps have been typically implemented by 3D gaming engines (e.g., Unity), which also contain intrinsic security vulnerabilities. Inappropriate use of these technologies may incur privacy leaks and security vulnerabilities although these issues have not received significant attention compared to the proliferation of diverse VR apps. In this paper, we develop a security and privacy assessment tool, namely the VR-SP detector for VR apps. The VR-SP detector has integrated program static analysis tools and privacy-policy analysis methods. Using the VR-SP detector, we conduct a comprehensive empirical study on 500 popular VR apps. We obtain the original apps from the popular Oculus and SideQuest app stores and extract APK files via the Meta Oculus Quest 2 device. We evaluate security vulnerabilities and privacy data leaks of these VR apps by VR app analysis, taint analysis, and privacy-policy analysis. We find that a number of security vulnerabilities and privacy leaks widely exist in VR apps. Moreover, our results also reveal conflicting representations in the privacy policies of these apps and inconsistencies of the actual data collection with the privacy-policy statements of the apps. Based on these findings, we make suggestions for the future development of VR apps.

View on arXiv
Definition Search Book Streamline Icon: https://streamlinehq.com
References (64)
  1. 2020. dnSpy. https://github.com/dnSpy/dnSpy
  2. Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review. Journal of Cybersecurity and Privacy 2, 4 (2022), 764–777. https://doi.org/10.3390/jcp2040039
  3. PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 585–602. https://www.usenix.org/conference/usenixsecurity19/presentation/andow
  4. Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 985–1002. https://www.usenix.org/conference/usenixsecurity20/presentation/andow
  5. Vincent Ang and Lwin Khin Shar. 2021. COVID-19 One Year on – Security and Privacy Review of Contact Tracing Mobile Apps. IEEE Pervasive Computing 20, 4 (2021), 61–70. https://doi.org/10.1109/MPRV.2021.3115478
  6. Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: SHA-256. ACM Trans. Program. Lang. Syst. 37, 2, Article 7 (apr 2015), 31 pages. https://doi.org/10.1145/2701415
  7. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI ’14). Association for Computing Machinery, New York, NY, USA, 259–269. https://doi.org/10.1145/2594291.2594299
  8. Assessment of the Fairness of Privacy Policies of Mobile Health Apps: Scale Development and Evaluation in Cancer Apps. JMIR Mhealth Uhealth 8, 7 (28 Jul 2020), e17134. https://doi.org/10.2196/17134
  9. GDPRWise BV. 2023. GDPRWise Policy Checker. https://gdprwise.eu/policy-checker/
  10. Immersive Virtual Reality Attacks and the Human Joystick. IEEE Transactions on Dependable and Secure Computing 18, 2 (2021), 550–562. https://doi.org/10.1109/TDSC.2019.2907942
  11. Automated and Personalized Privacy Policy Extraction Under GDPR Consideration. In Wireless Algorithms, Systems, and Applications, Edoardo S. Biagioni, Yao Zheng, and Siyao Cheng (Eds.). Springer International Publishing, Cham, 43–54.
  12. Reality Check of Metaverse: A First Look at Commercial Social Virtual Reality Platforms. In 2022 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW). 141–148. https://doi.org/10.1109/VRW55335.2022.00040
  13. Alvin Christopher Santoso and Petrus Santoso. 2022. Aplikasi Ruangan Maya Berbasis Android OS pada Headset Virtual Reality Oculus Quest 2. Jurnal FORTECH 3, 2 (Sep. 2022), 51–56. https://doi.org/10.56795/fortech.v3i2.321
  14. A Survey of Man In The Middle Attacks. IEEE Communications Surveys & Tutorials 18, 3 (2016), 2027–2051. https://doi.org/10.1109/COMST.2016.2548426
  15. Unity3D-based app for 360VR subjective quality assessment with customizable questionnaires. In 2019 IEEE 9th International Conference on Consumer Electronics (ICCE-Berlin). 281–282. https://doi.org/10.1109/ICCE-Berlin47944.2019.8966170
  16. Hesham Darvish and Mohammad Husain. 2018. Security Analysis of Mobile Money Applications on Android. In 2018 IEEE International Conference on Big Data (Big Data). 3072–3078. https://doi.org/10.1109/BigData.2018.8622115
  17. Anthony Desnos and G Gueguen. 2018. Androguard documentation. https://androguard.readthedocs.io/en/latest/
  18. Optimistic Hybrid Analysis: Accelerating Dynamic Analysis through Predicated Static Analysis. SIGPLAN Not. 53, 2 (mar 2018), 348–362. https://doi.org/10.1145/3296957.3177153
  19. A new diffusion mechanism for data encryption in the ECB mode. In 2009 International Conference on Computer Engineering & Systems. 288–293. https://doi.org/10.1109/ICCES.2009.5383254
  20. Inc. Epic Games. [n. d.]. Unreal Engine. https://www.unrealengine.com/ (2023, July 24).
  21. Sandeep HR. 2019. Static Analysis of Android Malware Detection using Deep Learning. In 2019 International Conference on Intelligent Computing and Control Systems (ICCS). 841–845. https://doi.org/10.1109/ICCS45141.2019.9065765
  22. Fuzzing the Android Applications With HTTP/HTTPS Network Data. IEEE Access 7 (2019), 59951–59962. https://doi.org/10.1109/ACCESS.2019.2915339
  23. Security and Privacy in Metaverse: A Comprehensive Survey. Big Data Mining and Analytics 6, 2 (2023), 234–247. https://doi.org/10.26599/BDMA.2022.9020047
  24. James P. Hughes and Whitfield Diffie. 2022. The Challenges of IoT, TLS, and Random Number Generators in the Real World: Bad Random Numbers Are Still with Us and Are Proliferating in Modern Systems. Queue 20, 3 (jul 2022), 18–40. https://doi.org/10.1145/3546933
  25. Research on Art Teaching Practice Supported by Virtual Reality (VR) Technology in the Primary Schools. Sustainability 14, 3 (2022). https://doi.org/10.3390/su14031246
  26. Artificial intelligence for the metaverse: A survey. Engineering Applications of Artificial Intelligence 117 (2023), 105581. https://doi.org/10.1016/j.engappai.2022.105581
  27. Fortune Business Insights. 2023. Virtual Reality Market Size, Share and COVID-19 Impact Analysis, By Component (Hardware, Software, and Content), By Device Type (Head Mounted Display (HMD), VR Simulator, VR Glasses, Treadmills and Haptic Gloves, and Others), By Industry (Gaming, Entertainment, Automotive, Retail, Healthcare, Education, Aerospace and Defense, Manufacturing, and Others), and Regional Forecast, 2023-2030. https://www.fortunebusinessinsights.com/industry-reports/virtual-reality-market-101378
  28. A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, 181–196. https://www.usenix.org/conference/soups2021/presentation/kollnig
  29. Grace LaMalva and Suzanna Schmeelk. 2020. MobSF: Mobile Health Care Android Applications Through The Lens of Open Source Static Analysis. In 2020 IEEE MIT Undergraduate Research Technology Conference (URTC). 1–4. https://doi.org/10.1109/URTC51696.2020.9668870
  30. Jungmi Lee. 2022. A study on the intention and experience of using the metaverse. Jahr: Europski časopis za bioetiku 13, 1 (2022), 177–192.
  31. HybriDroid: Static Analysis Framework for Android Hybrid Applications. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (Singapore, Singapore) (ASE ’16). Association for Computing Machinery, New York, NY, USA, 250–261. https://doi.org/10.1145/2970276.2970368
  32. Douglas J. Leith and Stephen Farrell. 2021. Contact Tracing App Privacy: What Data Is Shared By Europe’s GAEN Contact Tracing Apps. In IEEE INFOCOM 2021 - IEEE Conference on Computer Communications. 1–10. https://doi.org/10.1109/INFOCOM42981.2021.9488728
  33. The Impact of GDPR on Global Technology Development. Journal of Global Information Technology Management 22, 1 (2019), 1–6. https://doi.org/10.1080/1097198X.2019.1569186 arXiv:https://doi.org/10.1080/1097198X.2019.1569186
  34. Measuring the Effectiveness of Privacy Policies for Voice Assistant Applications. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC ’20). Association for Computing Machinery, New York, NY, USA, 856–869. https://doi.org/10.1145/3427228.3427250
  35. A Combination Method for Android Malware Detection Based on Control Flow Graphs and Machine Learning Algorithms. IEEE Access 7 (2019), 21235–21245. https://doi.org/10.1109/ACCESS.2019.2896003
  36. Unsure How to Authenticate on Your VR Headset? Come on, Use Your Head!. In Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics (Tempe, AZ, USA) (IWSPA ’18). Association for Computing Machinery, New York, NY, USA, 23–30. https://doi.org/10.1145/3180445.3180450
  37. Stylianos Mystakidis. 2022. Metaverse. Encyclopedia 2, 1 (2022), 486–497. https://doi.org/10.3390/encyclopedia2010031
  38. A Survey on Metaverse: the State-of-the-art, Technologies, Applications, and Challenges. arXiv preprint arXiv:2111.09673 (2021).
  39. How Developers Optimize Virtual Reality Applications: A Study of Optimization Commits in Open Source Unity Projects. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 473–485. https://doi.org/10.1109/ICSE43902.2021.00052
  40. Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 4347–4364. https://www.usenix.org/conference/usenixsecurity21/presentation/oltrogge
  41. Sang-Min Park and Young-Gab Kim. 2022. A Metaverse: Taxonomy, Components, Applications, and Open Challenges. IEEE Access 10 (2022), 4209–4251. https://doi.org/10.1109/ACCESS.2021.3140175
  42. Weichao Qiu and Alan Yuille. 2016. UnrealCV: Connecting Computer Vision to Unreal Engine. In Computer Vision – ECCV 2016 Workshops, Gang Hua and Hervé Jégou (Eds.). Springer International Publishing, Cham, 909–916.
  43. 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 603–620. https://www.usenix.org/conference/usenixsecurity19/presentation/reardon
  44. Towards Discovering and Understanding Task Hijacking in Android. In Proceedings of the 24th USENIX Conference on Security Symposium (Washington, D.C.) (SEC’15). USENIX Association, USA, 945–959.
  45. Privacy and Security Analysis of Cryptocurrency Mobile Applications. In 2019 Fifth Conference on Mobile and Secure Services (MobiSecServ). 1–6. https://doi.org/10.1109/MOBISECSERV.2019.8686583
  46. Vulnerability detection in recent Android apps: An empirical study. In 2017 International Conference on Networking, Systems and Security (NSysS). 55–63. https://doi.org/10.1109/NSysS.2017.7885802
  47. Static and dynamic analysis of Android malware and goodware written with unity framework. Security and Communication Networks 2018 (2018).
  48. Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing. 75–80. https://doi.org/10.1109/DASC.2014.22
  49. Lee Stemkoski. 2015. The LibGDX Framework. Apress, Berkeley, CA, 13–46. https://doi.org/10.1007/978-1-4842-1500-5_2
  50. An Empirical Assessment of Global COVID-19 Contact Tracing Applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 1085–1097. https://doi.org/10.1109/ICSE43902.2021.00101
  51. Android Rooting: Methods, Detection, and Evasion. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (Denver, Colorado, USA) (SPSM ’15). Association for Computing Machinery, New York, NY, USA, 3–14. https://doi.org/10.1145/2808117.2808126
  52. Unity Technologies. [n. d.]. Unity documentation - 2d or 3d projects. https://docs.unity3d.com/ (2023, March 24).
  53. OVRseen: Auditing Network Traffic and Privacy Policies in Oculus VR. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 3789–3806. https://www.usenix.org/conference/usenixsecurity22/presentation/trimananda
  54. On the (Un)Reliability of Privacy Policies in Android Apps. In 2020 International Joint Conference on Neural Networks (IJCNN). 1–9. https://doi.org/10.1109/IJCNN48605.2020.9206660
  55. Sasha Volokh and William G.J. Halfond. 2022. Static Analysis for Automated Identification of Valid Game Actions During Exploration. In Proceedings of the 17th International Conference on the Foundations of Digital Games (Athens, Greece) (FDG ’22). Association for Computing Machinery, New York, NY, USA, Article 2, 10 pages. https://doi.org/10.1145/3555858.3555898
  56. Rise of the Metaverse’s Immersive Virtual Reality Malware and the Man-in-the-Room Attack & Defenses. Computers & Security 127 (2023), 102923. https://doi.org/10.1016/j.cose.2022.102923
  57. Virtual reality. Business & Information Systems Engineering 62 (2020), 455–461.
  58. Privacy Leakage via Unrestricted Motion-Position Sensors in the Age of Virtual Reality: A Study of Snooping Typed Input on Virtual Keyboards. In 2023 IEEE Symposium on Security and Privacy (SP). 3382–3398. https://doi.org/10.1109/SP46215.2023.10179301
  59. Xiaoyi Yang and Xueling Zhang. 2023. A Study of User Privacy in Android Mobile AR Apps. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (Rochester, MI, USA) (ASE ’22). Association for Computing Machinery, New York, NY, USA, Article 226, 5 pages. https://doi.org/10.1145/3551349.3560512
  60. Forensic Analysis of Immersive Virtual Reality Social Applications: A Primary Account. In 2018 IEEE Security and Privacy Workshops (SPW). 186–196. https://doi.org/10.1109/SPW.2018.00034
  61. Sophia Yoo and Xiaoqi Chen. 2021. Secure Keyed Hashing on Programmable Switches. In Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable Network INfrastructure (Virtual Event, USA) (SPIN ’21). Association for Computing Machinery, New York, NY, USA, 16–22. https://doi.org/10.1145/3472873.3472881
  62. Android Root and Its Providers: A Double-Edged Sword. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS ’15). Association for Computing Machinery, New York, NY, USA, 1093–1104. https://doi.org/10.1145/2810103.2813714
  63. Demystifying Diehard Android Apps. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering (Virtual Event, Australia) (ASE ’20). Association for Computing Machinery, New York, NY, USA, 187–198. https://doi.org/10.1145/3324884.3416637
  64. Chaoshun Zuo and Zhiqiang Lin. 2022. Playing Without Paying: Detecting Vulnerable Payment Verification in Native Binaries of Unity Mobile Games. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 3093–3110. https://www.usenix.org/conference/usenixsecurity22/presentation/zuo
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Hanyang Guo (3 papers)
  2. Hong-Ning Dai (33 papers)
  3. Xiapu Luo (106 papers)
  4. Zibin Zheng (194 papers)
  5. Gengyang Xu (1 paper)
  6. Fengliang He (1 paper)
Citations (7)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets