Ensuring application security requires a multidisciplinary approach. We currently scan each application submitted to the Oculus Store with antivirus and malware detection technology to help prevent intentionally malicious apps from reaching users.
Starting today we are expanding our services to include a security vulnerability scan that will be automatically applied to all Quest, Go and GearVR applications submitted to the Store. The purpose of this scan is to educate and inform you of any existing vulnerabilities in your application that could be exploited by a third party, such as the Heartbleed Bug in the popular OpenSSL software library.
We highly encourage you to take a look at the report as you submit new applications to the Store, and fix any vulnerabilities that are surfaced.
Please note that in the future we will block any mobile application submitted to the Store that has certain high priority security vulnerabilities present. We will notify you before this goes into place, and you will then be invited to correct these vulnerabilities and resubmit your app. See below for initial FAQs on this update:
Will this scan retroactively apply to apps that have already been submitted to the Store?
No this will only be applied to future mobile apps submitted to the Store.
Will the scan be applied to apps as they are updated and resubmitted to the Store?
Yes, any new version of app binaries under the same name will be re-scanned upon being submitted to the Store.
By what date do any detected security vulnerabilities need to be fixed?
We haven’t set a specific date yet, but we will notify you when it is determined.
Do all security vulnerabilities detected need to be fixed? If not, which ones need to be fixed?
No. Only those issues marked as “failures” will need to be fixed.
Why aren’t Rift apps scanned in the same way?
Our focus today is on the Mobile platform: Quest, Go, and GearVR.
Where will I be notified of any security vulnerabilities detected in my app?
You will be notified via the Oculus Dashboard which shows test results for your binary.
Are users of my app notified of any security vulnerabilities that exist?
We will only be surfacing this information to developers. At this time users will not be notified of security vulnerabilities that exist in apps.