| Name: | Description: | Size: | Format: | |
|---|---|---|---|---|
| 3.26 MB | Adobe PDF |
Authors
Abstract(s)
A Realidade Aumentada (RA) tem-se expandido rapidamente em domínios como o
entretenimento, a saúde, a educação, a indústria e a defesa, transformando a forma
como indivíduos e organizações interagem com conteúdos digitais. Ao fundir ambientes
reais e virtuais, a RA potencia novas experiências e aplicações inovadoras. No entanto,
a sua dependência constante de sensores, câmaras e processamento de dados em
tempo real torna estes sistemas particularmente vulneráveis a riscos de segurança e de
privacidade. Problemas como acessos não autorizados, armazenamento inseguro ou
uso indevido de dados ambientais e biométricos aumentam significativamente as consequências
de vulnerabilidades em plataformas de RA, tornando essencial a adoção
de abordagens de segurança desde a fase inicial de design.
Este trabalho foi desenvolvido no âmbito do projeto SafeAR, cujo objetivo é criar
ferramentas automáticas para proteger a privacidade e a confidencialidade em ambientes
de RA, assegurando experiências contínuas e em tempo real. O projeto identifica
classes principais de riscos associados à captura de dados em RA e aplica técnicas de
aprendizagem automática para os detetar, validando as suas soluções em dois cenários
de aplicação: um jogo de RA baseado em localização (LootAR) e uma aplicação de
treino e manufatura industrial (UnitySafe). Estes dois casos de estudo serviram como
base para esta dissertação.
Para avaliar a sua robustez em termos de segurança, aplicou-se uma metodologia
de testes de penetração estruturada com base no OWASP Mobile Application Security
Testing Guide (MSTG), no OWASP Mobile Top 10 (2024) e no OWASP Top 10 Web
Application Security Risks (2021). A análise incidiu sobre aspetos como armazenamento,
autenticação, permissões da aplicação e tráfego de rede, com especial foco no
tratamento de comunicações TLS. Recorreu-se a técnicas de análise estática e dinâmica
e a ferramentas especializadas para uma avaliação sistemática das vulnerabilidades em
ambientes móveis e HoloLens.
Este projeto contribui com uma metodologia estruturada de testes de penetração
adaptada a aplicações de RA, identificando riscos específicos e propondo estratégias
de mitigação. Ao fazê-lo, reforça a missão do projeto SafeAR, apoiando o desenvolvimento
de ecossistemas de RA fiáveis e respeitadores da privacidade.
Augmented Reality (AR) has rapidly expanded into domains such as entertainment, healthcare, education, manufacturing, and defense, transforming the way individuals and organizations interact with digital content. By merging real and virtual environments, AR enhances user experiences and enables innovative applications. However, this constant reliance on sensors, cameras, and real-time data processing makes AR systems inherently prone to security and privacy risks. Issues such as unauthorized access, insecure storage, and the misuse of sensitive environmental and biometric data amplify the consequences of vulnerabilities in AR platforms, making security-bydesign approaches a pressing necessity. This project report is conducted within the context of the SafeAR Project, whose objective is to create automatic tools for protecting privacy and confidentiality in AR environments while maintaining seamless, real-time experiences. SafeAR identifies key classes of risks in AR data capture and applies machine learning to detect them, validating its solutions in two application scenarios: a location-based AR game (LootAR) and an industrial training and manufacturing application (UnitySafe). These two applications form the case studies for this work. To evaluate their security posture, we applied a structured penetration testing methodology based on the OWASP Mobile Application Security Testing Guide (MSTG), the OWASP Mobile Top 10 (2024), and the OWASP Top 10 Web Application Security Risks (2021). The assessment focused on storage, authentication, application permissions, and network traffic, with particular emphasis on the handling of Transport Layer Security (TLS) communications. Static and dynamic analyses were performed using a range of established tools and techniques, enabling a systematic examination of vulnerabilities in both mobile and HoloLens environments. The results highlight that many risks affecting AR applications align with those found in conventional mobile and web environments. However, the immersive and interconnected nature of AR amplifies their potential impact, demanding greater attention to privacy, integrity, and resilience. This dissertation contributes a structured penetration test methodology tailored for AR applications, identifying AR-specific risks and proposing mitigation strategies. In doing so, it reinforces the mission of SafeAR, supporting the development of trustworthy and privacy-preserving AR ecosystems.
Augmented Reality (AR) has rapidly expanded into domains such as entertainment, healthcare, education, manufacturing, and defense, transforming the way individuals and organizations interact with digital content. By merging real and virtual environments, AR enhances user experiences and enables innovative applications. However, this constant reliance on sensors, cameras, and real-time data processing makes AR systems inherently prone to security and privacy risks. Issues such as unauthorized access, insecure storage, and the misuse of sensitive environmental and biometric data amplify the consequences of vulnerabilities in AR platforms, making security-bydesign approaches a pressing necessity. This project report is conducted within the context of the SafeAR Project, whose objective is to create automatic tools for protecting privacy and confidentiality in AR environments while maintaining seamless, real-time experiences. SafeAR identifies key classes of risks in AR data capture and applies machine learning to detect them, validating its solutions in two application scenarios: a location-based AR game (LootAR) and an industrial training and manufacturing application (UnitySafe). These two applications form the case studies for this work. To evaluate their security posture, we applied a structured penetration testing methodology based on the OWASP Mobile Application Security Testing Guide (MSTG), the OWASP Mobile Top 10 (2024), and the OWASP Top 10 Web Application Security Risks (2021). The assessment focused on storage, authentication, application permissions, and network traffic, with particular emphasis on the handling of Transport Layer Security (TLS) communications. Static and dynamic analyses were performed using a range of established tools and techniques, enabling a systematic examination of vulnerabilities in both mobile and HoloLens environments. The results highlight that many risks affecting AR applications align with those found in conventional mobile and web environments. However, the immersive and interconnected nature of AR amplifies their potential impact, demanding greater attention to privacy, integrity, and resilience. This dissertation contributes a structured penetration test methodology tailored for AR applications, identifying AR-specific risks and proposing mitigation strategies. In doing so, it reinforces the mission of SafeAR, supporting the development of trustworthy and privacy-preserving AR ecosystems.
Description
Keywords
Realidade aumentada SafeAR Cibersegurança Teste de penetração Telemóvel OWASP