ABSTRACT
Augmented reality (AR) browsers are an emerging category of mobile applications that add interactive virtual objects to the user's view of the physical world. This paper gives the first system-level evaluation of their security and privacy properties.
We start by analyzing the functional requirements that AR browsers must support in order to present AR content. We then investigate the security architecture of Junaio, Layar, and Wikitude browsers, which are running today on over 30 million mobile devices, and identify new categories of security and privacy vulnerabilities unique to AR browsers. Finally, we provide the first engineering guidelines for securely implementing AR functionality.
- G. Abowd, C. Atkeson, J. Hong, S. Long, R. Kooper, and M. Pinkerton. Cyberguide: A mobile context-aware tour guide. Wireless Networks, 3(5), 1997. Google ScholarDigital Library
- R. T. Azuma. A survey of augmented reality. Presence: Teleoperators and Virtual Environments, 6(4):355--385, 1997.Google ScholarDigital Library
- R. T. Azuma, Y. Baillot, R. Behringer, S. Feiner, S. Julier, and B. MacIntyre. Recent advances in augmented reality. Computer Graphics and Applications, 21(6):34--47, 2001. Google ScholarDigital Library
- D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In WWW, 2010. Google ScholarDigital Library
- A. Dabrowski, K. Krombholz, J. Ullrich, and E. Weippl. QR inception: Barcode-in-barcode attacks. In SPSM, 2014. Google ScholarDigital Library
- L. D'Antoni, A. Dunn, S. Jana, T. Kohno, B. Livshits, D. Molnar, A. Moshchuk, E. Ofek, F. Roesner, S. Saponas, M. Veanes, and H. J. Wang. Operating system support for augmented reality applications. In HotOS, 2013. Google ScholarDigital Library
- Layar launches "world's first augmented reality store". http://eurodroid.com/2010/04/28/layar-launches-worlds-first-augmented-reality-store, 2010.Google Scholar
- S. Feiner, B. MacIntyre, T. Höllerer, and A. Webster. A touring machine: Prototyping 3D mobile augmented reality systems for exploring the urban environment. Personal Technologies, 1(4), 1997.Google Scholar
- M. Georgiev, S. Jana, and V. Shmatikov. Breaking and fixing origin-based access control in hybrid Web/mobile application frameworks. In NDSS, 2014.Google ScholarCross Ref
- B. Henne, M. Harbach, and M. Smith. Location privacy revisited: Factors of privacy decisions. In CHI, 2013. Google ScholarDigital Library
- L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schechter, and C. Jackson. Clickjacking: Attacks and defenses. In USENIX Security, 2012. Google ScholarDigital Library
- S. Jana, D. Molnar, A. Moshchuk, A. Dunn, B. Livshits, H. J. Wang, and E. Ofek. Enabling fine-grained permissions for augmented reality applications with recognizers. In USENIX Security, 2013. Google ScholarDigital Library
- S. Jana, A. Narayanan, and V. Shmatikov. A scanner Darkly: Protecting user privacy from perceptual applications. In S&P, 2013. Google ScholarDigital Library
- Become a Junaio developer. http://www.slideshare.net/metaio_AR/why-to-become-a-junaio-developer, 2013.Google Scholar
- A. Kharraz, E. Kirda, W. Robertson, D. Balzarotti, and A. Francillon. Optical delusions: A study of malicious QR codes in the wild. In DSN, 2014. Google ScholarDigital Library
- R. Kooper and B. B. MacIntyre. Browsing the real-world wide web: Maintaining awareness of virtual information in an AR information space. International Journal of Human-Computer Interaction, 16(3), 2003.Google ScholarCross Ref
- K. Krombholz, P. Frühwirt, P. Kieseberg, I. Kapsalis, M. Huber, and E. Weippl. QR code security: A survey of attacks and challenges for usable security. In HCI, 2014. Google ScholarDigital Library
- Layar introduction for developers. http://www.slideshare.net/layarmobile/layar-introduction-for-developers, 2011.Google Scholar
- Open Geospatial Consortium. OGC augmented reality markup language 2.0 (ARML 2.0) {candidate standard}. http://www.opengeospatial.org/projects/groups/arml2.0swg, 2013.Google Scholar
- M. Osadchy, B. Pinkas, A. Jarrous, and B. Moskovich. SCiFI - A system for secure face identification. In S&P, 2010. Google ScholarDigital Library
- C. Perey. A proposal for AR browser interoperability. http://www.perey.com/ARStandards/AR_Browser_Interoperability_Architecture_Jan_21_2014_v1_2.pdf, 2014.Google Scholar
- F. Roesner, T. Kohno, T. Denning, R. Calo, and B. C. Newell. Augmented reality: Hard problems of law and policy. In UPSIDE, 2014. Google ScholarDigital Library
- F. Roesner, T. Kohno, and D. Molnar. Security and privacy for augmented reality systems. In Communications of the ACM, volume 57, pages 88--96, 2014. Google ScholarDigital Library
- G. Rydstedt, E. Bursztein, and D. Boneh. Framing attacks on smart phones and dumb routers: Tap-jacking and geo-localization. In WOOT, 2010. Google ScholarDigital Library
- G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: A study of clickjacking vulnerabilities at popular sites. In W2SP, 2010.Google Scholar
- S. Son and V. Shmatikov. The postman always rings twice: Attacking and defending postMessage in HTML5 websites. In NDSS, 2013.Google Scholar
- Same origin policy. http://www.w3.org/Security/wiki/Same_Origin_Policy.Google Scholar
- J. Spohrer. Information in places. IBM Systems Journal, 38(4):602--628, 1999. Google ScholarDigital Library
- Wikitude for agencies. http://www.slideshare.net/wikitude/wikitude-media-portfolio-presentation, 2012.Google Scholar
- Z. Wu, Q. Ke, M. Isard, and J. Sun. Bundling features for large scale partial-duplicate web image search. In CVPR, 2009.Google Scholar
- The X-Frame-Options response header. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options.Google Scholar
Index Terms
- No Escape From Reality: Security and Privacy of Augmented Reality Browsers
Recommendations
Augmented reality as perceptual reality
VSMM'06: Proceedings of the 12th international conference on Interactive Technologies and Sociotechnical SystemsAs shown in Paul Milgram et al’s Reality-Virtuality Continuum (1994), Augmented Reality occupies a very unique status in the spectrum of Mixed Reality. Unlike Virtual Reality, which is completely made up of the virtual and has been the most important ...
Haptics in Augmented Reality
ICMCS '99: Proceedings of the IEEE International Conference on Multimedia Computing and Systems - Volume 2An augmented reality system merges synthetic sensory information into a user's perception of a three-dimensional environment. An important performance goal for an augmented reality system is that the user perceives a single seamless environment. In most ...
Remixed Reality: Manipulating Space and Time in Augmented Reality
CHI '18: Proceedings of the 2018 CHI Conference on Human Factors in Computing SystemsWe present Remixed Reality, a novel form of mixed reality. In contrast to classical mixed reality approaches where users see a direct view or video feed of their environment, with Remixed Reality they see a live 3D reconstruction, gathered from multiple ...
Comments