skip to main content
10.1145/2736277.2741657acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

No Escape From Reality: Security and Privacy of Augmented Reality Browsers

Published: 18 May 2015 Publication History

Abstract

Augmented reality (AR) browsers are an emerging category of mobile applications that add interactive virtual objects to the user's view of the physical world. This paper gives the first system-level evaluation of their security and privacy properties.
We start by analyzing the functional requirements that AR browsers must support in order to present AR content. We then investigate the security architecture of Junaio, Layar, and Wikitude browsers, which are running today on over 30 million mobile devices, and identify new categories of security and privacy vulnerabilities unique to AR browsers. Finally, we provide the first engineering guidelines for securely implementing AR functionality.

References

[1]
G. Abowd, C. Atkeson, J. Hong, S. Long, R. Kooper, and M. Pinkerton. Cyberguide: A mobile context-aware tour guide. Wireless Networks, 3(5), 1997.
[2]
R. T. Azuma. A survey of augmented reality. Presence: Teleoperators and Virtual Environments, 6(4):355--385, 1997.
[3]
R. T. Azuma, Y. Baillot, R. Behringer, S. Feiner, S. Julier, and B. MacIntyre. Recent advances in augmented reality. Computer Graphics and Applications, 21(6):34--47, 2001.
[4]
D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In WWW, 2010.
[5]
A. Dabrowski, K. Krombholz, J. Ullrich, and E. Weippl. QR inception: Barcode-in-barcode attacks. In SPSM, 2014.
[6]
L. D'Antoni, A. Dunn, S. Jana, T. Kohno, B. Livshits, D. Molnar, A. Moshchuk, E. Ofek, F. Roesner, S. Saponas, M. Veanes, and H. J. Wang. Operating system support for augmented reality applications. In HotOS, 2013.
[7]
Layar launches "world's first augmented reality store". http://eurodroid.com/2010/04/28/layar-launches-worlds-first-augmented-reality-store, 2010.
[8]
S. Feiner, B. MacIntyre, T. Höllerer, and A. Webster. A touring machine: Prototyping 3D mobile augmented reality systems for exploring the urban environment. Personal Technologies, 1(4), 1997.
[9]
M. Georgiev, S. Jana, and V. Shmatikov. Breaking and fixing origin-based access control in hybrid Web/mobile application frameworks. In NDSS, 2014.
[10]
B. Henne, M. Harbach, and M. Smith. Location privacy revisited: Factors of privacy decisions. In CHI, 2013.
[11]
L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schechter, and C. Jackson. Clickjacking: Attacks and defenses. In USENIX Security, 2012.
[12]
S. Jana, D. Molnar, A. Moshchuk, A. Dunn, B. Livshits, H. J. Wang, and E. Ofek. Enabling fine-grained permissions for augmented reality applications with recognizers. In USENIX Security, 2013.
[13]
S. Jana, A. Narayanan, and V. Shmatikov. A scanner Darkly: Protecting user privacy from perceptual applications. In S&P, 2013.
[14]
Become a Junaio developer. http://www.slideshare.net/metaio_AR/why-to-become-a-junaio-developer, 2013.
[15]
A. Kharraz, E. Kirda, W. Robertson, D. Balzarotti, and A. Francillon. Optical delusions: A study of malicious QR codes in the wild. In DSN, 2014.
[16]
R. Kooper and B. B. MacIntyre. Browsing the real-world wide web: Maintaining awareness of virtual information in an AR information space. International Journal of Human-Computer Interaction, 16(3), 2003.
[17]
K. Krombholz, P. Frühwirt, P. Kieseberg, I. Kapsalis, M. Huber, and E. Weippl. QR code security: A survey of attacks and challenges for usable security. In HCI, 2014.
[18]
Layar introduction for developers. http://www.slideshare.net/layarmobile/layar-introduction-for-developers, 2011.
[19]
Open Geospatial Consortium. OGC augmented reality markup language 2.0 (ARML 2.0) {candidate standard}. http://www.opengeospatial.org/projects/groups/arml2.0swg, 2013.
[20]
M. Osadchy, B. Pinkas, A. Jarrous, and B. Moskovich. SCiFI - A system for secure face identification. In S&P, 2010.
[21]
C. Perey. A proposal for AR browser interoperability. http://www.perey.com/ARStandards/AR_Browser_Interoperability_Architecture_Jan_21_2014_v1_2.pdf, 2014.
[22]
F. Roesner, T. Kohno, T. Denning, R. Calo, and B. C. Newell. Augmented reality: Hard problems of law and policy. In UPSIDE, 2014.
[23]
F. Roesner, T. Kohno, and D. Molnar. Security and privacy for augmented reality systems. In Communications of the ACM, volume 57, pages 88--96, 2014.
[24]
G. Rydstedt, E. Bursztein, and D. Boneh. Framing attacks on smart phones and dumb routers: Tap-jacking and geo-localization. In WOOT, 2010.
[25]
G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: A study of clickjacking vulnerabilities at popular sites. In W2SP, 2010.
[26]
S. Son and V. Shmatikov. The postman always rings twice: Attacking and defending postMessage in HTML5 websites. In NDSS, 2013.
[27]
Same origin policy. http://www.w3.org/Security/wiki/Same_Origin_Policy.
[28]
J. Spohrer. Information in places. IBM Systems Journal, 38(4):602--628, 1999.
[29]
Wikitude for agencies. http://www.slideshare.net/wikitude/wikitude-media-portfolio-presentation, 2012.
[30]
Z. Wu, Q. Ke, M. Isard, and J. Sun. Bundling features for large scale partial-duplicate web image search. In CVPR, 2009.
[31]
The X-Frame-Options response header. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options.

Cited By

View all
  • (2024)Gamifying the Learning Experience in the Language ClassroomAsian Journal of Multidisciplinary Research & Review10.55662/AJMRR.2024.55045:5(107-148)Online publication date: 30-Oct-2024
  • (2024)Demystifying the Privacy-Realism Dilemma in the MetaverseProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694958(245-250)Online publication date: 27-Oct-2024
  • (2024)Danger, Nuisance, Disregard: Analyzing User-Generated Videos for Augmented Reality Gameplay on Hand-held DevicesProceedings of the ACM on Human-Computer Interaction10.1145/36770638:CHI PLAY(1-33)Online publication date: 15-Oct-2024
  • Show More Cited By

Index Terms

  1. No Escape From Reality: Security and Privacy of Augmented Reality Browsers

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    WWW '15: Proceedings of the 24th International Conference on World Wide Web
    May 2015
    1460 pages
    ISBN:9781450334693

    Sponsors

    • IW3C2: International World Wide Web Conference Committee

    In-Cooperation

    Publisher

    International World Wide Web Conferences Steering Committee

    Republic and Canton of Geneva, Switzerland

    Publication History

    Published: 18 May 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. augmented reality
    2. mobile security
    3. privacy
    4. web security

    Qualifiers

    • Research-article

    Funding Sources

    • NIH
    • NSF
    • Google

    Conference

    WWW '15
    Sponsor:
    • IW3C2

    Acceptance Rates

    WWW '15 Paper Acceptance Rate 131 of 929 submissions, 14%;
    Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)40
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 28 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Gamifying the Learning Experience in the Language ClassroomAsian Journal of Multidisciplinary Research & Review10.55662/AJMRR.2024.55045:5(107-148)Online publication date: 30-Oct-2024
    • (2024)Demystifying the Privacy-Realism Dilemma in the MetaverseProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694958(245-250)Online publication date: 27-Oct-2024
    • (2024)Danger, Nuisance, Disregard: Analyzing User-Generated Videos for Augmented Reality Gameplay on Hand-held DevicesProceedings of the ACM on Human-Computer Interaction10.1145/36770638:CHI PLAY(1-33)Online publication date: 15-Oct-2024
    • (2024)Privacy in Immersive Extended Reality: Exploring User Perceptions, Concerns, and Coping StrategiesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642104(1-24)Online publication date: 11-May-2024
    • (2024)Biomedical Data VisualizationText Mining Approaches for Biomedical Data10.1007/978-981-97-3962-2_5(89-103)Online publication date: 4-Sep-2024
    • (2023)Gamifying the Learning Experience in the Language ClassroomAsian Journal of Multidisciplinary Research & Review10.55662/AJMRR.2023.46044:6(116-163)Online publication date: 21-Dec-2023
    • (2023)ErebusProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620290(929-946)Online publication date: 9-Aug-2023
    • (2023)The Dark Side of Augmented Reality: Exploring Manipulative Designs in ARInternational Journal of Human–Computer Interaction10.1080/10447318.2023.218879940:13(3449-3464)Online publication date: 27-Mar-2023
    • (2022)In-Depth Review of Augmented Reality: Tracking Technologies, Development Tools, AR Displays, Collaborative AR, and Security ConcernsSensors10.3390/s2301014623:1(146)Online publication date: 23-Dec-2022
    • (2022)CAR-Tourist: An Integrity-Preserved Collaborative Augmented Reality Framework-Tourism as a Use-CaseApplied Sciences10.3390/app12231202212:23(12022)Online publication date: 24-Nov-2022
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media