A Multi-Store Privacy Measurement of Virtual Reality App Ecosystem

TL;DR

This study provides a comprehensive analysis of privacy practices across major VR app stores, revealing widespread privacy compliance issues and highlighting the need for stricter regulations to protect user data in the VR ecosystem.

Contribution

It is the first large-scale, multi-store analysis of privacy practices in the VR app ecosystem, combining NLP, reverse engineering, and static analysis techniques.

Findings

One third of VR apps do not declare sensitive data use.

21.5% of apps lack valid privacy policies.

Significant privacy compliance issues are prevalent across all stores.

Abstract

Virtual Reality (VR) has gained increasing traction among various domains in recent years, with major companies such as Meta, Pico, and Microsoft launching their application stores to support third-party developers in releasing their applications (or simply apps). These apps offer rich functionality but inherently collect privacy-sensitive data, such as user biometrics, behaviors, and the surrounding environment. Nevertheless, there is still a lack of domain-specific regulations to govern the data handling of VR apps, resulting in significant variations in their privacy practices among app stores. In this work, we present the first comprehensive multi-store study of privacy practices in the current VR app ecosystem, covering a large-scale dataset involving 6,565 apps collected from five major app stores. We assess both declarative and behavioral privacy practices of VR apps, using a multi-faceted approach based on natural language processing, reverse engineering, and static analysis. Our assessment reveals significant privacy compliance issues across all stores, underscoring the premature status of privacy protection in this rapidly growing ecosystem. For instance, one third of apps fail to declare their use of sensitive data, and 21.5\% of apps neglect to provide valid privacy policies. Our work sheds light on the status quo of privacy protection within the VR app ecosystem for the first time. Our findings should raise an alert to VR app developers and users, and encourage store operators to implement stringent regulations on privacy compliance among VR apps.