From Perception to Protection: A Developer-Centered Study of Security and Privacy Threats in Extended Reality (XR)

The immersive nature of XR introduces a fundamentally different set of security and privacy (S&P) challenges due to the unprecedented user interactions and data collection that traditional paradigms struggle to mitigate. As the primary architects of XR applications, developers play a critical role in addressing novel threats. However, to effectively support developers, we must first understand how they perceive and respond to different threats. Despite the growing importance of this issue, there is a lack of in-depth, threat-aware studies that examine XR S&P from the developers' perspective. To fill this gap, we interviewed 23 professional XR developers with a focus on emerging threats in XR. Our study addresses two research questions aiming to uncover existing problems in XR development and identify actionable paths forward. By examining developers' perceptions of S&P threats, we found that: (1) XR development decisions (e.g., rich sensor data collection, user-generated content interfaces) are closely tied to and can amplify S&P threats, yet developers are often unaware of these risks, resulting in cognitive biases in threat perception; and (2) limitations in existing mitigation methods, combined with insufficient strategic, technical, and communication support, undermine developers' motivation, awareness, and ability to effectively address these threats. Based on these findings, we propose actionable and stakeholder-aware recommendations to improve XR S&P throughout the XR development process. This work represents the first effort to undertake a threat-aware, developer-centered study in the XR domain-an area where the immersive, data-rich nature of the XR technology introduces distinctive challenges. A portion of this work was conducted during Kunlin Cai's internship with Xun Chen at Samsung Research America. how people learn, work, and interact. By 2025, the global XR market is projected to reach USD 87.3 billion, with the applications segment accounting for the largest share at 65%, signaling significant growth in XR applications [1] . However, the rapid expansion of the XR applications is a double-edged sword, offering substantial benefits while introducing notable security and privacy (S&P) risks [2] . The concerns related to S&P in XR applicationsencompassing augmented reality (AR), virtual reality (VR), and mixed reality (MR)-require a dedicated investigation due to their unique characteristics: ( 1 ) XR provides users with unparalleled immersive experiences [3] by enabling innovative interaction designs unique to spatial computing, such as lifelike avatar embodiment [4] and gaze-based or emotion-driven interactions [5], [6]. These advancements introduced new security concerns, including but not limited to XR side-channel attack [7], [8], [9], immersive digital manipulation [10], [11], [12], identity threats [13], and intellectual property threats from blending real and virtual content [14], [15]. (2) XR inherently requires an extensive collection of multimodal user and environment data, such as gestures, gaze, voice, physiological signals, location, and movement. The combination of these data streams provides a granular, real-time representation of users' state, where prior studies [16], [17], [18], [19] have shown that such fine-grained data opens up new avenues for attackers to exploit XR systems and compromise user privacy. The interaction designs and data collection channels in XR are primarily determined by developers at the application level. Since developers play a key role in creating these designs [20] , their design choices directly shape the S&P posture of applications. However, current XR research [21], [22] primarily focuses on user-centered studies, aiming to understand the S&P issues that users care about. Although existing studies provide valuable insights from the user perspectives, they often fall short in connecting S&P issues with the actual development process and uncovering the key factors hindering S&P development. Therefore, there's an urgent need for dedicated developer-centered studies to gain a deeper understanding of the causes behind emerging threats in XR applications. Specifically, developers' awareness, misconceptions, atti-