Table of Contents
Fetching ...

A Multi-Store Privacy Measurement of Virtual Reality App Ecosystem

Chuan Yan, Zeng Li, Kunlin Cai, Liuhuo Wan, Ruomai Ren, Yiran Shen, Guangdong Bai

TL;DR

The paper addresses the privacy risks in the VR app ecosystem by conducting the first large-scale, multi-store analysis of declarative and behavioral privacy practices across five major VR stores, examining 6,565 apps and 802 Oculus/Pico APKs with 2,788 privacy policies. It combines VR-domain privacy taxonomy with NLP, reverse engineering, and static analysis to build an adaptive framework capable of cross-engine (Unity/Unreal) and cross-store privacy measurement. Key findings reveal substantial gaps: about a third of apps do not declare sensitive data, and roughly 21.5% lack valid privacy policies; many policies are non-VR-specific or inaccessible, and there are notable inconsistencies between declared and observed data practices. The work provides actionable guidance for store operators, developers, and users to improve transparency, policy quality, and compliance, and offers a scalable methodology for ongoing privacy assessment in the rapidly growing VR ecosystem.

Abstract

Virtual Reality (VR) has gained increasing traction among various domains in recent years, with major companies such as Meta, Pico, and Microsoft launching their application stores to support third-party developers in releasing their applications (or simply apps). These apps offer rich functionality but inherently collect privacy-sensitive data, such as user biometrics, behaviors, and the surrounding environment. Nevertheless, there is still a lack of domain-specific regulations to govern the data handling of VR apps, resulting in significant variations in their privacy practices among app stores. In this work, we present the first comprehensive multi-store study of privacy practices in the current VR app ecosystem, covering a large-scale dataset involving 6,565 apps collected from five major app stores. We assess both declarative and behavioral privacy practices of VR apps, using a multi-faceted approach based on natural language processing, reverse engineering, and static analysis. Our assessment reveals significant privacy compliance issues across all stores, underscoring the premature status of privacy protection in this rapidly growing ecosystem. For instance, one third of apps fail to declare their use of sensitive data, and 21.5\% of apps neglect to provide valid privacy policies. Our work sheds light on the status quo of privacy protection within the VR app ecosystem for the first time. Our findings should raise an alert to VR app developers and users, and encourage store operators to implement stringent regulations on privacy compliance among VR apps.

A Multi-Store Privacy Measurement of Virtual Reality App Ecosystem

TL;DR

The paper addresses the privacy risks in the VR app ecosystem by conducting the first large-scale, multi-store analysis of declarative and behavioral privacy practices across five major VR stores, examining 6,565 apps and 802 Oculus/Pico APKs with 2,788 privacy policies. It combines VR-domain privacy taxonomy with NLP, reverse engineering, and static analysis to build an adaptive framework capable of cross-engine (Unity/Unreal) and cross-store privacy measurement. Key findings reveal substantial gaps: about a third of apps do not declare sensitive data, and roughly 21.5% lack valid privacy policies; many policies are non-VR-specific or inaccessible, and there are notable inconsistencies between declared and observed data practices. The work provides actionable guidance for store operators, developers, and users to improve transparency, policy quality, and compliance, and offers a scalable methodology for ongoing privacy assessment in the rapidly growing VR ecosystem.

Abstract

Virtual Reality (VR) has gained increasing traction among various domains in recent years, with major companies such as Meta, Pico, and Microsoft launching their application stores to support third-party developers in releasing their applications (or simply apps). These apps offer rich functionality but inherently collect privacy-sensitive data, such as user biometrics, behaviors, and the surrounding environment. Nevertheless, there is still a lack of domain-specific regulations to govern the data handling of VR apps, resulting in significant variations in their privacy practices among app stores. In this work, we present the first comprehensive multi-store study of privacy practices in the current VR app ecosystem, covering a large-scale dataset involving 6,565 apps collected from five major app stores. We assess both declarative and behavioral privacy practices of VR apps, using a multi-faceted approach based on natural language processing, reverse engineering, and static analysis. Our assessment reveals significant privacy compliance issues across all stores, underscoring the premature status of privacy protection in this rapidly growing ecosystem. For instance, one third of apps fail to declare their use of sensitive data, and 21.5\% of apps neglect to provide valid privacy policies. Our work sheds light on the status quo of privacy protection within the VR app ecosystem for the first time. Our findings should raise an alert to VR app developers and users, and encourage store operators to implement stringent regulations on privacy compliance among VR apps.
Paper Structure (64 sections, 6 figures, 9 tables)

This paper contains 64 sections, 6 figures, 9 tables.

Figures (6)

  • Figure 1: The workflow of privacy measurement of virtual reality app ecosystem
  • Figure 2: An example of textual artifacts of a VR app (with privacy-related texts highlighted)
  • Figure 3: The coverage of multilingual versions of privacy policies across VR stores
  • Figure 4: A demonstration of IL2CPP native code analysis
  • Figure 5: A demonstration of Unreal-based app analysis
  • ...and 1 more figures