Although Virtual Reality (VR) has accelerated its prevalent adoption in emerging metaverse applications, it is not a fundamentally new technology. On one hand, most VR operating systems (OS) are based on off-the-shelf mobile OS. As a result, VR apps also inherit privacy and security deficiencies from conventional mobile apps. On the other hand, in contrast to conventional mobile apps, VR apps can achieve immersive experience via diverse VR devices, such as head-mounted displays, body sensors, and controllers though achieving this requires the extensive collection of privacy-sensitive human biometrics. Moreover, VR apps have been typically implemented by 3D gaming engines (e.g., Unity), which also contain intrinsic security vulnerabilities. Inappropriate use of these technologies may incur privacy leaks and security vulnerabilities although these issues have not received significant attention compared to the proliferation of diverse VR apps. In this paper, we develop a security and privacy assessment tool, namely the VR-SP detector for VR apps. The VR-SP detector has integrated program static analysis tools and privacy-policy analysis methods. Using the VR-SP detector, we conduct a comprehensive empirical study on 500 popular VR apps. We obtain the original apps from the popular Oculus and SideQuest app stores and extract APK files via the Meta Oculus Quest 2 device. We evaluate security vulnerabilities and privacy data leaks of these VR apps by VR app analysis, taint analysis, and privacy-policy analysis. We find that a number of security vulnerabilities and privacy leaks widely exist in VR apps. Moreover, our results also reveal conflicting representations in the privacy policies of these apps and inconsistencies of the actual data collection with the privacy-policy statements of the apps. Based on these findings, we make suggestions for the future development of VR apps.

翻译：尽管虚拟现实（VR）技术在新兴元宇宙应用中加速普及，但其并非根本性新技术。一方面，大多数VR操作系统（OS）基于现成移动操作系统，导致VR应用继承了传统移动应用的安全与隐私缺陷。另一方面，与传统移动应用不同，VR应用通过头戴显示器、体感传感器及控制器等多种VR设备实现沉浸式体验，而这需要广泛采集涉及隐私的人体生物特征数据。此外，VR应用通常由3D游戏引擎（如Unity）开发，此类引擎本身包含固有安全漏洞。对上述技术的不当使用可能引发隐私泄露与安全风险——尽管与众多VR应用的激增态势相比，此类问题尚未获得足够重视。本文开发了面向VR应用的安全与隐私评估工具VR-SP检测器，该工具集成了程序静态分析工具与隐私政策分析方法。借助VR-SP检测器，我们对500款主流VR应用开展了全面实证研究：从Oculus与SideQuest主流应用商店获取原始应用，并通过Meta Oculus Quest 2设备提取APK文件。通过VR应用分析、污点分析及隐私政策分析，评估了这些VR应用的安全漏洞与隐私数据泄露风险。研究发现，大量安全漏洞与隐私泄露广泛存在于VR应用中。此外，结果还揭示了这些应用隐私政策中存在表述矛盾，以及实际数据收集与隐私政策声明不一致的问题。基于上述发现，我们为未来VR应用的开发提出了建议。