TY - JOUR
T1 - Hidden in Plain Sight
T2 - Exploring Privacy Risks of Mobile Augmented Reality Applications
AU - Lehman, Sarah M.
AU - Alrumayh, Abrar S.
AU - Kolhe, Kunal
AU - Ling, Haibin
AU - Tan, Chiu C.
N1 - Publisher Copyright:
© 2022 Association for Computing Machinery.
PY - 2022/11
Y1 - 2022/11
N2 - Mobile augmented reality systems are becoming increasingly common and powerful, with applications in such domains as healthcare, manufacturing, education, and more. This rise in popularity is thanks in part to the functionalities offered by commercially available vision libraries such as ARCore, Vuforia, and Google's ML Kit; however, these libraries also give rise to the possibility of a hidden operations threat, that is, the ability of a malicious or incompetent application developer to conduct additional vision operations behind the scenes of an otherwise honest AR application without alerting the end-user. In this article, we present the privacy risks associated with the hidden operations threat and propose a framework for application development and runtime permissions targeted specifically at preventing the execution of hidden operations. We follow this with a set of experimental results, exploring the feasibility and utility of our system in differentiating between user-expectation-compliant and non-compliant AR applications during runtime testing, for which preliminary results demonstrate accuracy of up to 71%. We conclude with a discussion of open problems in the areas of software testing and privacy standards in mobile AR systems.
AB - Mobile augmented reality systems are becoming increasingly common and powerful, with applications in such domains as healthcare, manufacturing, education, and more. This rise in popularity is thanks in part to the functionalities offered by commercially available vision libraries such as ARCore, Vuforia, and Google's ML Kit; however, these libraries also give rise to the possibility of a hidden operations threat, that is, the ability of a malicious or incompetent application developer to conduct additional vision operations behind the scenes of an otherwise honest AR application without alerting the end-user. In this article, we present the privacy risks associated with the hidden operations threat and propose a framework for application development and runtime permissions targeted specifically at preventing the execution of hidden operations. We follow this with a set of experimental results, exploring the feasibility and utility of our system in differentiating between user-expectation-compliant and non-compliant AR applications during runtime testing, for which preliminary results demonstrate accuracy of up to 71%. We conclude with a discussion of open problems in the areas of software testing and privacy standards in mobile AR systems.
KW - Augmented reality
KW - mobile system security
KW - user privacy
UR - http://www.scopus.com/inward/record.url?scp=85135088589&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85135088589&partnerID=8YFLogxK
U2 - 10.1145/3524020
DO - 10.1145/3524020
M3 - Article
AN - SCOPUS:85135088589
SN - 2471-2566
VL - 25
JO - ACM Transactions on Privacy and Security
JF - ACM Transactions on Privacy and Security
IS - 4
M1 - 26
ER -