This page explains OVRseen's workflow for collecting network traffic from VR apps.

The following dependencies have been installed in the provided VM.

• aapt v0.2-27.0.1
• aapt 2:19
• apksigner
• apktool v2.6.0
• gdown 4.0.1
• zipalign

For network traffic collection, we use the latest AntMonitor version. Please also run the following command to activate a Python virtual environment (with the right dependencies) before using OVRseen.

OVRseen/virtualenv $ ./python3_venv.sh
OVRseen/virtualenv $ source python3_venv/bin/activate

We use Frida to bypass TLS certificate validation on Quest 2 and AntMonitor to capture network traffic in the form of PCAP files.

1) Please download the latest AntMonitor's code and compile it as per the provided instructions. You can also download the latest special release for OVRseen here. Please install the APK file on the Quest 2 device using adb install <AntMonitor-apk-name>.apk. We then need to activate the traffic collection switch (can be found when clicking on the three-horizontal bar sign on the upper left-hand corner of the app) for the first time: we will be prompted to install AntMonitor's certificate. After accepting the certificate, we can deactivate the traffic collection switch and delete any saved PCAP files on the device's memory (i.e., in /sdcard/anteater) by running the following command.

$ adb shell "rm -rf /sdcard/anteater/*"

Please note that there might be issues when using the Oculus Developer Hub Software to launch AntMonitor: it forces apps to launch apps in VR mode, which AntMonitor does not support.

2) Please set up Frida libraries (download libfrida-gadgets.zip from here), and set up the local keystore that will be used to sign the repackaged app. Please use password as the password for the keystore and input arbitrary user information when prompted.

OVRseen/network_traffic/traffic_collection/apk_processing $ unzip libfrida-gadgets.zip
OVRseen/network_traffic/traffic_collection/apk_processing $ keytool -genkey -v -keystore appmon.keystore -alias mykeyaliasname -keyalg RSA -keysize 2048 -validity 10000

3) Please download the Unity library zipped file, put it in the OVRseen/network_traffic_analysis/traffic_collection/cert_validation_bypass folder, and unzip it (into the folder unity_so_files). Please ensure that we have enough free space on disk because the size of the folder is going to be around 19GB unzipped. We only included all the necessary Unity files in this zipped file (the entire collection of Unity files were more than 300GB and these can be downloaded one version at a time from Unity's archive).

OVRseen/network_traffic/traffic_collection/cert_validation_bypass $ unzip unity_so_files.zip

This zipped file only contains Unity library files up to the time of our experiments. If one needs newer library files, they will need to download the newer versions from the Unity's archive website and update our zipped file following the same directory structure. Please find more details in this Github issue as well.

We can use the USB-C cable to do the testing. However, if we want to perform a wireless testing, we need to perform the following steps first.

4) Please connect the USB-C cable to the device and find the IP address of the device through adb shell. Then, we take note of the IP address from the wlan0 entry.

$ adb shell "ip addr show"

5) Please run the following command to restart adb to run in tcpip mode.

$ adb tcpip 5555

6) Please unplug the device and connect to the device by executing the following command.

$ adb connect <ip-address-from-step-4-above>:5555

7) Please run the script apk_download_utility.py. The following command will generate the InstalledAPKs that will contain the list of apps already installed on the device. The script is going to use this list (if it can find one) as a baseline to download any other app that is not on the list. After plugging in your Oculus Quest 2 device, if you are using our VM, please connect the device by selecting Quest 2 as a connected USB device. Then, we have to start the adb server using the sudo command and, from the Quest 2 device, we have to allow the connection as well by confirming through the appearing pop-up window.

OVRseen/network_traffic/traffic_collection/apk_processing $ sudo adb start-server # Then, please confirm through the pop-up window on the Quest 2 device.
OVRseen/network_traffic/traffic_collection/apk_processing $ python3 apk_download_utility.py InstalledAPKs --apk_dir APKs

8) Please install the apps to test on the Quest 2 device. Please refer to our lists of top apps on Oculus and SideQuest stores in our datasets.

9) Please re-run the script apk_download_utility.py to download the APKs of the newly installed apps. The APK files will be downloaded and stored in the APKs folder.

OVRseen/network_traffic/traffic_collection/apk_processing $ python3 apk_download_utility.py InstalledAPKs --apk_dir APKs

After downloading the APKs, this script will also generate a CSV file that contains the list of downloaded APKs (i.e., named app-list-<date-time>.csv); it maps app names to their respective package names.

10) Please take an app to test from the list of downloaded APKs in step 7). Then, please run the script frida_automate.sh to repackage and reinstall the app's APK: this script is adapted from appmon. For example, the following command is going to run the script for Beat Saber - Demo app. We can download the sample APK for this app (i.e., com.beatgames.beatsaber.demo.apk) and put it inside the APKs folder by executing the following commands. This APK can be easily obtained by installing Beat Saber - Demo app, a free app on Oculus, and executing the command adb pull.

OVRseen/network_traffic/traffic_collection/apk_processing $ mkdir -p APKs; mv com.beatgames.beatsaber.demo.apk APKs

For every app's APK we repackage, we have to execute the following command (the following example is given for com.beatgames.beatsaber.demo.apk).

OVRseen/network_traffic/traffic_collection/apk_processing $ ./frida_automate.sh APKs/obb/ password APKs/com.beatgames.beatsaber.demo.apk # This will generate the repackaged APK as _com.beatgames.beatsaber.demo.apk

This script will also generate a CSV called apps-under-test.csv (if there has not been one), and insert the package name that is under test along with the information whether it was built using Unity, Unreal, or other architectures.

11) Please disconnect your USB now and turn on the traffic collection switch on the running AntMonitor.

12) Please run the app that is going to be tested; the screen will go dark and sometimes there are pop-up windows asking for permissions (please make sure that we select all options necessary to make the app launch).

13) When the screen is dark and nothing else is happening, please run Frida client to bypass SSL pinnings by running the script bypass_all_ssl_pinnings.sh.

OVRseen/network_traffic/traffic_collection/cert_validation_bypass $ ./bypass_all_ssl_pinnings.sh -l unity_so_files -a ../apk_processing/APKs/

14) Please experiment with the app (in our experiments we conducted this for around 7 minutes per app) as AntMonitor is collecting network traffic. Methodically, one can test the different menu options: (1) settings, and (2) gameplay (please attempt to try 2-3 different gameplays when possible).

15) At this point, we can stop the app, press the Oculus button (the one with the Oculus logo) on the controller, and click on the Quit button on the screen.

16) Please turn off traffic collection on AntMonitor by clicking on the switch.

17) Please reconnect your USB and run the PCAP downloading script get_pcaps.sh. This script also uninstalls the APK automatically for you.

OVRseen/network_traffic/traffic_collection/cert_validation_bypass $ ./get_pcaps.sh -d pcaps

Note: If there is an error about the path, some versions of AntMonitor use /sdcard/anteater and some of them use /sdcard/antmonitor. Please update this script accordingly if needed.

18) We repeat from step 10) for the next app's APK, or step 7) if we need to download another set of APKs. In our experiments, we downloaded and tested at most 15-20 apps in one testing session (we did not test more apps in one session, but the internal Quest 2 device memory may be able to hold more apps).