This study addresses the critical gap in developers’ security and privacy (S&P) awareness and threat response capabilities in extended reality (XR). Adopting a threat-perception lens, it conducts the first developer-centered qualitative investigation in XR S&P. Through 24 semi-structured interviews grounded in representative XR scenarios—such as sensor-based data collection and immersive user interaction—the study performs threat modeling and cognitive bias analysis. Findings reveal pervasive developer-level biases: systematic threat underestimation, misattribution of responsibility, and fragmented mitigation strategies—rooted in inadequate S&P tooling, absence of S&P integration in development lifecycles, and lack of cross-role communication mechanisms. The work proposes a three-tiered, actionable framework targeting developers, platform providers, and standards bodies. It thus fills a key empirical and threat-driven research void in XR S&P, advancing both scholarly understanding and practical intervention design.

The immersive nature of XR introduces a fundamentally different set of security and privacy (S&P) challenges due to the unprecedented user interactions and data collection that traditional paradigms struggle to mitigate. As the primary architects of XR applications, developers play a critical role in addressing novel threats. However, to effectively support developers, we must first understand how they perceive and respond to different threats. Despite the growing importance of this issue, there is a lack of in-depth, threat-aware studies that examine XR S&P from the developers' perspective. To fill this gap, we interviewed 23 professional XR developers with a focus on emerging threats in XR. Our study addresses two research questions aiming to uncover existing problems in XR development and identify actionable paths forward. By examining developers' perceptions of S&P threats, we found that: (1) XR development decisions (e.g., rich sensor data collection, user-generated content interfaces) are closely tied to and can amplify S&P threats, yet developers are often unaware of these risks, resulting in cognitive biases in threat perception; and (2) limitations in existing mitigation methods, combined with insufficient strategic, technical, and communication support, undermine developers' motivation, awareness, and ability to effectively address these threats. Based on these findings, we propose actionable and stakeholder-aware recommendations to improve XR S&P throughout the XR development process. This work represents the first effort to undertake a threat-aware, developer-centered study in the XR domain -- an area where the immersive, data-rich nature of the XR technology introduces distinctive challenges.