An Empirical Study on Meta Virtual Reality Applications: Security and Privacy Perspectives

IF 6.5 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IEEE Transactions on Software Engineering Pub Date : 2025-03-19 DOI:10.1109/TSE.2025.3553283

Hanyang Guo;Hong-Ning Dai;Xiapu Luo;Gengyang Xu;Fengliang He;Zibin Zheng

{"title":"An Empirical Study on Meta Virtual Reality Applications: Security and Privacy Perspectives","authors":"Hanyang Guo;Hong-Ning Dai;Xiapu Luo;Gengyang Xu;Fengliang He;Zibin Zheng","doi":"10.1109/TSE.2025.3553283","DOIUrl":null,"url":null,"abstract":"Virtual Reality (VR) has accelerated its prevalent adoption in emerging metaverse applications, but it is not a fundamentally new technology. On the one hand, most VR operating systems (OS) are based on off-the-shelf mobile OS (e.g., Android OS). As a result, VR apps also inevitably inherit privacy and security deficiencies from conventional mobile apps. On the other hand, in contrast to traditional mobile apps, VR apps can achieve an immersive experience via diverse VR devices, such as head-mounted displays, body sensors, and controllers. However, achieving this requires the extensive collection of privacy-sensitive human biometrics (e.g., hand-tracking and face-tracking data). Moreover, VR apps have been typically implemented by 3D gaming engines (e.g., Unity), which also contain intrinsic security vulnerabilities. Inappropriate use of these technologies may incur privacy leaks and security vulnerabilities although these issues have not received significant attention compared to the proliferation of diverse VR apps. In this paper, we develop a security and privacy assessment tool, namely the VR-SP detector for VR apps. The VR-SP detector has integrated program static analysis tools and privacy-policy analysis methods. Using the VR-SP detector, we conduct a comprehensive empirical study on 900 popular VR apps. We obtain the original apps from the popular SideQuest app store and extract Android PacKage (APK) files via the Meta Quest 2 device. We evaluate the security vulnerabilities and privacy data leaks of these VR apps through VR app analysis, taint analysis, privacy policy analysis, and user review analysis. We find that a number of security vulnerabilities and privacy leaks widely exist in VR apps. Moreover, our results also reveal conflicting representations in the privacy policies of these apps and inconsistencies of the actual data collection with the privacy-policy statements of the apps. Further, user reviews also indicate their privacy concerns about relevant biometric data. Based on these findings, we make suggestions for the future development of VR apps.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 5","pages":"1437-1454"},"PeriodicalIF":6.5000,"publicationDate":"2025-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10934745/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Virtual Reality (VR) has accelerated its prevalent adoption in emerging metaverse applications, but it is not a fundamentally new technology. On the one hand, most VR operating systems (OS) are based on off-the-shelf mobile OS (e.g., Android OS). As a result, VR apps also inevitably inherit privacy and security deficiencies from conventional mobile apps. On the other hand, in contrast to traditional mobile apps, VR apps can achieve an immersive experience via diverse VR devices, such as head-mounted displays, body sensors, and controllers. However, achieving this requires the extensive collection of privacy-sensitive human biometrics (e.g., hand-tracking and face-tracking data). Moreover, VR apps have been typically implemented by 3D gaming engines (e.g., Unity), which also contain intrinsic security vulnerabilities. Inappropriate use of these technologies may incur privacy leaks and security vulnerabilities although these issues have not received significant attention compared to the proliferation of diverse VR apps. In this paper, we develop a security and privacy assessment tool, namely the VR-SP detector for VR apps. The VR-SP detector has integrated program static analysis tools and privacy-policy analysis methods. Using the VR-SP detector, we conduct a comprehensive empirical study on 900 popular VR apps. We obtain the original apps from the popular SideQuest app store and extract Android PacKage (APK) files via the Meta Quest 2 device. We evaluate the security vulnerabilities and privacy data leaks of these VR apps through VR app analysis, taint analysis, privacy policy analysis, and user review analysis. We find that a number of security vulnerabilities and privacy leaks widely exist in VR apps. Moreover, our results also reveal conflicting representations in the privacy policies of these apps and inconsistencies of the actual data collection with the privacy-policy statements of the apps. Further, user reviews also indicate their privacy concerns about relevant biometric data. Based on these findings, we make suggestions for the future development of VR apps.

查看原文本刊更多论文

元虚拟现实应用的实证研究：安全和隐私视角

虚拟现实（VR）在新兴的虚拟世界应用中得到了广泛应用，但它并不是一项根本的新技术。一方面，大多数VR操作系统（OS）都是基于现成的移动操作系统（如Android OS）。因此，VR应用程序也不可避免地继承了传统移动应用程序的隐私和安全缺陷。另一方面，与传统的移动应用程序相比，VR应用程序可以通过各种VR设备实现沉浸式体验，例如头戴式显示器，身体传感器和控制器。然而，实现这一目标需要广泛收集对隐私敏感的人体生物特征（例如，手部跟踪和面部跟踪数据）。此外，VR应用通常由3D游戏引擎（如Unity）执行，这也包含固有的安全漏洞。不恰当地使用这些技术可能会导致隐私泄露和安全漏洞，尽管与各种VR应用程序的激增相比，这些问题并没有得到足够的重视。在本文中，我们开发了一个安全与隐私评估工具，即VR- sp检测器。VR-SP检测器集成了程序静态分析工具和隐私策略分析方法。使用VR- sp检测器，我们对900个流行的VR应用进行了全面的实证研究。我们从流行的SideQuest应用程序商店获得原始应用程序，并通过Meta Quest 2设备提取Android包（APK）文件。我们通过VR应用分析、污点分析、隐私政策分析和用户评论分析，对这些VR应用的安全漏洞和隐私数据泄露进行评估。我们发现VR应用中普遍存在一些安全漏洞和隐私泄露。此外，我们的研究结果还揭示了这些应用程序在隐私政策中的相互矛盾的表述，以及实际数据收集与应用程序隐私政策声明的不一致。此外，用户评论也表明了他们对相关生物特征数据的隐私担忧。基于这些发现，我们对VR应用的未来发展提出了建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.