With augmented reality (AR) apps like Apple Vision Pro growing more popular all the time, users have become not only more attached to their mobile devices but also engrossed in a secondary layer of distraction. While immersed in AR, experiencing any disruption such as push notifications could lead a user to click just to make the banner vanish. Clicking without first verifying a notification is legitimate could lead to interaction with a link that downloads malware and other malicious content onto your device.
The risk of accidentally engaging with a malicious push notification during AR immersion affects not only those using these apps for leisure but also in a working environment, such as in a medical or other office setting. When a user allows in these bad actors by clicking push notifications without pausing to consider first, they could risk not only their own security but also the security of their employer. Cybercriminals can leverage push notifications to carry out various attacks to gain personal data, including espionage.
These threat actors might use social engineering by posing as someone the user knows or by MFA prompt bombing, where the user gets flooded by an overwhelming number of notifications at once.
As both AR use and user frustration with push notifications have increased, my doctoral research conducted under Dr. Alexander Voiskounsky at Capitol Technology University explores both user susceptibility to malicious push notifications during AR immersion as well as a potential developer-side solution. The first stage of this study used a qualitative approach involving a simulation exposing participants to interfaces for commonly used AR apps like Instagram and Pokémon GO. The simulation prompted immersed participants to choose between a push notification requesting social interaction (friend calling in) and urgency (an upgrade notice that the device would turn off if the user didn’t click the notification to upgrade). The majority of participants across both a leisure and workplace context ended up choosing the social interaction, citing a trending pressure to respond to either a friend or manager over the threat of a device shutting down and losing unsaved work.
The social pressure evident from the simulation results showed a need for backend mitigation that doesn’t rely entirely on the user whose attention might not be at full capacity, given the increasingly popularity of immersive applications. The second stage of the study used a qualitative case study that consulted four experts in the application development field to propose a security feature implemented into a user device. The hypothetical feature would use artificial intelligence (AI) to heuristically analyze the content of any incoming push notification and intercept anything suspicious entering the user interface (UI) before the user has a chance to click. One of the experts specializing in security engineering at a Fortune 500 company advised that, while necessary, such a feature has not yet been developed due to privacy concerns over the necessary screen capture element for catching the push notification in real time.
As AR apps are some of the most distracting technologies out there, application developers can help reduce this risk by collaborating with privacy and legal experts toward an ethical security feature capable of blocking malicious push notifications in real time. Due to the study showing the social interaction lure as most alluring for users, the heuristic screen capture analysis of this feature could emphasize any push notifications with content soliciting a communication request. The feature would ideally then show the user a summary of any intercepted notifications once they have closed out the AR feature and therefore make it less likely to click or swipe for automatic dismissal.
Editor’s note: For more insights on this topic, read Sarah’s 2024 ISACA Journal article, volume 3,“User Susceptibility to Malicious Push Notifications in Augmented Reality at the Workplace.”