Abstract
The use of augmented reality (AR) technology for virtual try-on (VTO) in online shopping is on the rise but its current state of privacy is not well explored. To examine privacy issues in VTO websites and apps, we analyze 138 websites and 28 Android apps that offer VTO. By capturing and analyzing the network traffic, we found that 65% of the websites send user images to a server: 8% to first-party (FP) servers only, and 57% to third-party (TP) servers only or both FP and TP. 18% of apps send user images to a server: 4% to FP servers only, and 14% to TP servers only or both FP and TP. Additionally, 43 websites and 2 apps are confirmed to get the users’ images stored, either by the FP website or a TP. 37% of websites are confirmed to use VTO providers which extract facial geometry from received users’ images. We also found that 11% of websites featuring VTO violate their own privacy policies, and 25% use a VTO provider that violates its own privacy policy. Privacy policy violations include sharing the user’s image to a website’s own server, or to a TP server, despite denying so in the privacy policy. Furthermore, 22% of websites use disclaimers that mislead users about what happens to their data when using VTO. We also found 1446 and 931 TP tracking scripts and cookies, respectively, in the analyzed websites. Finally, we identified security vulnerabilities, such as broken authentication, in a VTO provider that can compromise its merchants. These findings underscore the need for greater transparency and clarity from companies using VTO features, and highlight the potential risks to user privacy, even from top brands.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
The app has been removed from Google Play as of August 10.
- 8.
- 9.
- 10.
- 11.
- 12.
References
Cantwell, K.: Zlib: a command-line utility for quickly compressing or decompressing zlib data. https://github.com/kevin-cantwell/zlib
Cdimascio: py-readability-metrics. https://github.com/cdimascio/py-readability-metrics/tree/master#flesch-kincaid-grade-level
Davis, J.: How 5G will change retail (2021). https://www.insiderintelligence.com/content/how-5g-will-change-retail
EasyList: Easylist. https://easylist.to/
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016. ACM, New York, NY, USA, (2016)
Feng, Y., Xie, Q.: Privacy concerns, perceived intrusiveness, and privacy controls: an analysis of virtual try-on apps. J. Interact. Advertising 19(1), 43–57 (2019)
Frida: Frida. https://github.com/frida/frida
Householder, A., Wassermann, G., Manion, A., King, C.: CERT® guide to coordinated vulnerability disclosure (2020). https://resources.sei.cmu.edu/asset_files/specialreport/2017_003_001_503340.pdf
Ivanov, A., Mou, Y., Tawira, L.: Avatar personalisation vs. privacy in a virtual try-on app for apparel shopping. Int. J. Fashion Des. Technol. Educ. 16(1), 100–109 (2023)
Kaspersky: What is facial recognition - definition and explanation. https://www.kaspersky.com/resource-center/definitions/what-is-facial-recognition
Lebeck, K., Ruth, K., Kohno, T., Roesner, F.: Towards security and privacy for multi-user augmented reality: foundations with end users. In: 2018 IEEE Symposium on Security and Privacy. IEEE (2018)
Liebers, J., Horn, P., Burschik, C., Gruenefeld, U., Schneegass, S.: Using gaze behavior and head orientation for implicit identification in virtual reality. In: Proceedings of the 27th ACM Symposium on Virtual Reality Software and Technology, New York, NY, USA (2021)
Miller, M.R., Herrera, F., Jun, H., Landay, J.A., Bailenson, J.N.: Personal identifiability of user tracking data during observation of 360-degree VR video. Sci. Rep. 10(1), 17404 (2020)
Mirjalili, V., Ross, A.: Soft biometric privacy: retaining biometric utility of face images while perturbing gender. In: 2017 IEEE IJCB, Denver, CO, USA (2017)
OnlineJPGTools: Convert base64 to jpeg. https://onlinejpgtools.com/convert-base64-to-jpg
OnlinePNGTools: Convert base64 to png. https://onlinepngtools.com/convert-base64-to-png
Pagey, R., Mannan, M., Youssef, A.: All your shops are belong to us: security weaknesses in e-commerce platforms. In: Proceedings of the ACM Web Conference 2023, WWW 2023. ACM, New York, NY, USA (2023)
Pfeuffer, K., Geiger, M.J., Prange, S., Mecke, L., Buschek, D., Alt, F.: Behavioural biometrics in VR: identifying people from body motion and relations in virtual reality. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, New York, NY, USA (2019)
Roesner, F., Kohno, T., Molnar, D.: Security and privacy for augmented reality systems. Commun. ACM 57(4), 88–96 (2014)
N. Samarasinghe, P. Kapoor, M. Mannan, and A. Youssef. No salvation from trackers: privacy analysis of religious websites and mobile apps. In: Garcia-Alfaro, J., Navarro-Arribas, G., Dragoni, N. (eds.) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2022 2022. Lecture Notes in Computer Science, vol. 13619. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-25734-6_10
Skylot: Jadx. https://github.com/skylot/jadx
Smink, A.R., Frowijn, S., van Reijmersdal, E.A., van Noort, G., Neijens, P.C.: Try online before you buy: how does shopping with augmented reality affect brand responses and personal data disclosure. Electron. Commer. Res. Appl. 35, 100854 (2019)
Stephenson, S., Pal, B., Fan, S., Fernandes, E., Zhao, Y., Chatterjee, R.: SoK: authentication in augmented and virtual reality. In: 2022 IEEE Symposium on Security and Privacy. IEEE (2022)
Technavio: Augmented reality and virtual reality market by technology, application, and geography - forecast and analysis 2023–2027 (2022). https://www.insiderintelligence.com/content/how-5g-will-change-retail
Trimananda, R., Le, H., Cui, H., Ho, J.T., Shuba, A., Markopoul, A.: OVRseen: auditing network traffic and privacy policies in Oculus VR. In: 31st USENIX (2022)
Zhang, T., Wang, W.Y.C., Cao, L., Wang, Y.: The role of virtual try-on technology in online purchase decision from consumers’ aspect. Internet Res. 29, 529–551 (2019)
Acknowledgment
This work was supported by the Office of the Privacy Commissioner of Canada (OPC). We also thank the anonymous DPM 2023 reviewers for their insightful feedback and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ragab, A., Mannan, M., Youssef, A. (2024). Try On, Spied On?: Privacy Analysis of Virtual Try-On Websites and Android Apps. In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14398. Springer, Cham. https://doi.org/10.1007/978-3-031-54204-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-54204-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-54203-9
Online ISBN: 978-3-031-54204-6
eBook Packages: Computer ScienceComputer Science (R0)