When you submit a build to any release channel, an automated security vulnerability scan is run on the app package. This scan checks for security issues such as the usage of known vulnerable SDKs or libraries, known exploits in the Android ecosystem, and the use of non-secure features. When the scan completes, you receive a detailed report that describes any security vulnerabilities found in that app package, and remediation guidance for the vulnerabilities identified.

The following image shows an example of the Security Vulnerability Review Test Results:

If a test fails, there are two possible results:

You can select Click for Details for each warning or failure to see more information. The Locations of Vulnerable Code In Your Build section shows the locations where vulnerabilities exist in your code. You can use the Locations of Vulnerable Code in Your Build, Description, and Recommendation sections to debug and fix issues. The following image shows an example of these three sections.

As of June 23, 2022, all binaries that contain a security vulnerability categorized as critical are required to be fixed and reuploaded prior to submitting to app review or distributing on any release channels.

Meta considers an app vulnerability to be critical if it poses a substantial risk to the Meta Quest or Link PC-VR (Oculus Rift) ecosystems, including user data, user experiences, app integrity, or Meta’s platform services.

A malicious attacker may not be able to use a single critical vulnerability to compromise the system, but may combine it with other vulnerabilities in the same or different apps to create a chain of exploits that result in a compromise. Since we cannot foresee what other vulnerabilities will emerge, we enforce remediation of critical vulnerabilities to protect your app and your users.

An appeal can be requested for binaries with critical security vulnerabilities if you believe that this is a false positive. Appeal forms can be submitted through the Developer Support Center by clicking on Contact Us and choosing the “Appeal Security Vulnerability Results” option in the “What are you reaching out about?” dropdown. You need to sign in to access the form. The appeal process may take up to 30 days.

After all of the identified critical security vulnerabilities have been fixed, you can upload a new build and the security vulnerability scan will automatically run on the newly uploaded package.