Auditing Network Traffic and Privacy Policies in Oculus VR

Virtual reality (VR) is an emerging technology that enables new applications but also introduces privacy risks. In this paper, we focus on Oculus VR (OVR), the leading platform in the VR space and we provide the first comprehensive analysis of personal data exposed by OVR apps and the platform itself, from a combined networking and privacy policy perspective. We experimented with the Quest 2 headset and tested the most popular VR apps available on the official Oculus and the SideQuest app stores. We developed OVRSEEN, a methodology and system for collecting, analyzing, and comparing network traffic and privacy policies on OVR. On the networking side, we captured and decrypted network traffic of VR apps, which was previously not possible on OVR, and we extracted data flows, defined as happ, data type, destinationi. Compared to the mobile and other app ecosystems, we found OVR to be more centralized and driven by tracking and analytics, rather than by third-party advertising. We show that the data types exposed by VR apps include personally identifiable information (PII), device information that can be used for fingerprinting, and VR-specific data types. By comparing the data flows found in the network traffic with statements made in the apps’ privacy policies, we found that approximately 70% of OVR data flows were not properly disclosed. Furthermore, we extracted additional context from the privacy policies, and we observed that 69% of the data flows were used for purposes unrelated to the core functionality of apps.

[1]  Wenyao Xu,et al.  OcuLock: Exploring Human Visual System for Authentication in Virtual Reality Head-mounted Display , 2020, NDSS.

[2]  Tao Xie,et al.  PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play , 2019, USENIX Security Symposium.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Athina Markopoulou,et al.  The TV is Smart and Full of Trackers: Measuring Smart TV Advertising and Tracking , 2020, Proc. Priv. Enhancing Technol..

[5]  Xue Qin,et al.  GUILeak: Tracing Privacy Policy Claims on User Input Data for Android Applications , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[6]  Athina Markopoulou,et al.  NoMoAds: Effective and Efficient Cross-App Mobile Ad-Blocking , 2018, Proc. Priv. Enhancing Technol..

[7]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[8]  T. Grance,et al.  SP 800-122. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) , 2010 .

[9]  Anupam Das,et al.  Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem , 2021, NDSS.

[10]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[11]  Wei Yu,et al.  I Know What You Enter on Gear VR , 2019, 2019 IEEE Conference on Communications and Network Security (CNS).

[12]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[13]  Peter Bühler,et al.  Apps , 2019, Digital Publishing.

[14]  Minas Gjoka,et al.  AntMonitor: A System for On-Device Mobile Network Monitoring and its Applications , 2016, 1611.04268.

[15]  Melanie Volkamer,et al.  Towards Secure and Usable Authentication for Augmented and Virtual Reality Head-Mounted Displays , 2020, ArXiv.

[16]  Tadayoshi Kohno,et al.  Towards Security and Privacy for Multi-user Augmented Reality: Foundations with End Users , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[17]  Yuanchun Li,et al.  DroidBot: A Lightweight UI-Guided Test Input Generator for Android , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[18]  Jun He,et al.  Antecedents to the adoption of augmented reality smart glasses: A closer look at privacy risks , 2018, Journal of Business Research.

[19]  Yuanchun Li,et al.  Why Are They Collecting My Data? , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[20]  Hamed Haddadi,et al.  Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach , 2019, Internet Measurement Conference.

[21]  Elissa M. Redmiles,et al.  Ethics Emerging: the Story of Privacy and Security Perceptions in Virtual Reality , 2018, SOUPS @ USENIX Security Symposium.

[22]  Omar Alrawi,et al.  SoK: Security Evaluation of Home-Based IoT Deployments , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[23]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[24]  Ram Krishnan,et al.  Toward a Framework for Detecting Privacy Policy Violations in Android Application Code , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[25]  Alessandro Acquisti,et al.  Face Recognition and Privacy in the Age of Augmented Reality , 2014, J. Priv. Confidentiality.

[26]  Athina Markopoulou,et al.  NoMoATS: Towards Automatic Detection of Mobile Tracking , 2020, Proc. Priv. Enhancing Technol..

[27]  Bin Liu,et al.  Automated Analysis of Privacy Requirements for Mobile Apps , 2016, NDSS.

[28]  Tadayoshi Kohno,et al.  Security and privacy for augmented reality systems , 2014, Commun. ACM.

[29]  Helen Nissenbaum,et al.  Going against the (Appropriate) Flow: A Contextual Integrity Approach to Privacy Policy Analysis , 2019, HCOMP.

[30]  Nick Feamster,et al.  Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices , 2019, CCS.

[31]  Mark Roman Miller,et al.  Personal identifiability of user tracking data during observation of 360-degree VR video , 2020, Scientific Reports.

[32]  Kang G. Shin,et al.  Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning , 2018, USENIX Security Symposium.

[33]  Steven M. Bellovin,et al.  Privee: An Architecture for Automatically Analyzing Web Privacy Policies , 2014, USENIX Security Symposium.

[34]  Mohamed Khamis,et al.  Fast and Secure Authentication in Virtual Reality Using Coordinated 3D Manipulation and Pointing , 2021, ACM Trans. Comput. Hum. Interact..

[35]  Narseo Vallina-Rodriguez,et al.  Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem , 2018, NDSS.

[36]  Andreas Kotsios Privacy in an augmented reality , 2015, Int. J. Law Inf. Technol..

[37]  William Enck,et al.  Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck , 2020, USENIX Security Symposium.

[38]  Nigel Shadbolt,et al.  Are iPhones Really Better for Privacy? Comparative Study of iOS and Android Apps , 2021, ArXiv.