Increasing Security for Apps on the Meta Quest Platform

Starting June 23, 2022, Meta will require developers submitting binaries for distribution on the Meta Quest platform to fix any critical security vulnerabilities that our automated scanning systems detect at the submission stage. This is to further our commitment for a secure and trustworthy ecosystem. This blog provides details on how you can successfully publish your binaries to Meta Quest Platform.

If you have a critical security vulnerability flagged in your binary, you will not be able to publish your app to the Meta Quest Store or App Lab until the critical security vulnerability is fixed and the binary is reuploaded. You will not be able to distribute the flagged binary through any release channels. This new change will not disturb the current applications in the ecosystem, however, new binaries uploaded will be required to follow our new guidance.

A Meta Quest app has a vulnerability when some aspect of its design could be exploited by a malicious attacker. Meta considers a Quest app vulnerability to be critical if it poses a substantial risk to the Meta Quest ecosystem, including user data, user experiences, app integrity, or Meta’s platform services. A malicious attacker may not be able to use a single critical vulnerability to compromise the system, but may combine it with other vulnerabilities in the same or different apps to create a chain of exploits that result in a compromise. Since we cannot foresee what other vulnerabilities will emerge, we require remediation of critical vulnerabilities to protect your app and Meta Quest users. All Meta Quest binaries are automatically scanned for critical security vulnerabilities when uploaded to the platform.

After uploading your binary, you’ll be notified if a critical security vulnerability was found. You can select each vulnerability to learn more and get recommendations for how to address it. Make any necessary changes to your binary to address these vulnerabilities. Upload your updated binary, which will be scanned again for vulnerabilities. If no critical security vulnerabilities are found, you can continue to submit and distribute your app on Meta release channels.

In the case of a false positive result, we encourage you to submit an appeal via the Developer Support Center⁠ through the Contact Us form. You can do this by submitting a request under the “Appeal Security Vulnerability Results” option in the “What are you reaching out about?” dropdown. You need to sign in to access the form. The appeal process may take up to 30 days. If you have an account manager, please inform them if you intend to submit an appeal.

Please refer to our documentation.