The VR application ecosystem lacks unified privacy regulation, resulting in widespread noncompliance across app stores regarding data collection disclosures and behavioral adherence to privacy policies. Method: This study presents the first large-scale, cross-platform empirical measurement of privacy practices in VR applications, analyzing 6,565 apps from five major VR app stores. We integrate natural language processing, reverse engineering, and static code analysis to jointly examine declared permissions, actual code-level data access behaviors, and privacy policy content. Contribution/Results: We find that 33.1% of apps fail to declare usage of sensitive data, while 21.5% lack a valid, accessible privacy policy; systemic compliance gaps persist across mainstream stores. This work provides the first comprehensive, evidence-based characterization of real-world privacy practices in VR environments, establishing a foundational empirical basis for developing targeted regulatory frameworks and privacy-enhancing technologies.

Virtual Reality (VR) has gained increasing traction among various domains in recent years, with major companies such as Meta, Pico, and Microsoft launching their application stores to support third-party developers in releasing their applications (or simply apps). These apps offer rich functionality but inherently collect privacy-sensitive data, such as user biometrics, behaviors, and the surrounding environment. Nevertheless, there is still a lack of domain-specific regulations to govern the data handling of VR apps, resulting in significant variations in their privacy practices among app stores. In this work, we present the first comprehensive multi-store study of privacy practices in the current VR app ecosystem, covering a large-scale dataset involving 6,565 apps collected from five major app stores. We assess both declarative and behavioral privacy practices of VR apps, using a multi-faceted approach based on natural language processing, reverse engineering, and static analysis. Our assessment reveals significant privacy compliance issues across all stores, underscoring the premature status of privacy protection in this rapidly growing ecosystem. For instance, one third of apps fail to declare their use of sensitive data, and 21.5% of apps neglect to provide valid privacy policies. Our work sheds light on the status quo of privacy protection within the VR app ecosystem for the first time. Our findings should raise an alert to VR app developers and users, and encourage store operators to implement stringent regulations on privacy compliance among VR apps.