AUTOVR: Automated UI Exploration for Detecting Sensitive Data Flow Exposures in Virtual Reality Apps

TL;DR

AUTOVR is an automated framework that enhances UI exploration in VR apps, uncovering sensitive data flows more effectively than existing tools, thereby improving privacy detection in VR applications.

Contribution

We introduce AUTOVR, a novel automated tool for dynamic UI exploration in VR apps that analyzes internal binaries and uncovers hidden events for comprehensive testing.

Findings

AUTOVR triggers significantly more sensitive data exposures than Android Monkey.

AUTOVR outperforms existing tools in VR app privacy testing.

The framework improves detection of sensitive data flows in VR applications.

Abstract

The rise of Virtual Reality (VR) has provided developers with an unprecedented platform for creating games and applications (apps) that require distinct inputs, different from those of conventional devices like smartphones. The Meta Quest VR platform, driven by Meta, has democratized VR app publishing and attracted millions of users worldwide. However, as the number of published apps grows, there is a notable lack of robust headless tools for user interface (UI) exploration and user event testing. To address this need, we present AUTOVR, an automatic framework for dynamic UI and user event interaction in VR apps built on the Unity Engine. Unlike conventional Android and GUI testers, AUTOVR analyzes the app's internal binary to reveal hidden events, resolves generative event dependencies, and utilizes them for comprehensive exploration of VR apps. Using sensitive data exposure as a performance metric, we compare AUTOVR with Android Monkey, a widely used headless Android GUI stress testing tool. Our empirical evaluation demonstrates AUTOVR's superior performance, triggering an order of magnitude of more sensitive data exposures and significantly enhancing the privacy of VR apps.