A Multi-Store Privacy Measurement of Virtual Reality App Ecosystem
Chuan Yan, Zeng Li, Kunlin Cai, Liuhuo Wan, Ruomai Ren, Yiran Shen, Guangdong Bai
TL;DR
The paper addresses the privacy risks in the VR app ecosystem by conducting the first large-scale, multi-store analysis of declarative and behavioral privacy practices across five major VR stores, examining 6,565 apps and 802 Oculus/Pico APKs with 2,788 privacy policies. It combines VR-domain privacy taxonomy with NLP, reverse engineering, and static analysis to build an adaptive framework capable of cross-engine (Unity/Unreal) and cross-store privacy measurement. Key findings reveal substantial gaps: about a third of apps do not declare sensitive data, and roughly 21.5% lack valid privacy policies; many policies are non-VR-specific or inaccessible, and there are notable inconsistencies between declared and observed data practices. The work provides actionable guidance for store operators, developers, and users to improve transparency, policy quality, and compliance, and offers a scalable methodology for ongoing privacy assessment in the rapidly growing VR ecosystem.
Abstract
Virtual Reality (VR) has gained increasing traction among various domains in recent years, with major companies such as Meta, Pico, and Microsoft launching their application stores to support third-party developers in releasing their applications (or simply apps). These apps offer rich functionality but inherently collect privacy-sensitive data, such as user biometrics, behaviors, and the surrounding environment. Nevertheless, there is still a lack of domain-specific regulations to govern the data handling of VR apps, resulting in significant variations in their privacy practices among app stores. In this work, we present the first comprehensive multi-store study of privacy practices in the current VR app ecosystem, covering a large-scale dataset involving 6,565 apps collected from five major app stores. We assess both declarative and behavioral privacy practices of VR apps, using a multi-faceted approach based on natural language processing, reverse engineering, and static analysis. Our assessment reveals significant privacy compliance issues across all stores, underscoring the premature status of privacy protection in this rapidly growing ecosystem. For instance, one third of apps fail to declare their use of sensitive data, and 21.5\% of apps neglect to provide valid privacy policies. Our work sheds light on the status quo of privacy protection within the VR app ecosystem for the first time. Our findings should raise an alert to VR app developers and users, and encourage store operators to implement stringent regulations on privacy compliance among VR apps.
