This paper presents an empirical study on the security and privacy of Oculus Virtual Reality (VR) applications. The authors develop a security and privacy assessment tool, the VR-SP Detector, which integrates static analysis tools and privacy-policy analysis methods. The tool is used to analyze 500 popular VR apps from the Oculus and SideQuest app stores, focusing on security vulnerabilities and privacy data leaks. Key findings include a high prevalence of security vulnerabilities such as root detection issues and insecure random generators, as well as significant privacy leaks and inconsistencies in privacy policies. The study also highlights the unique challenges of VR apps, such as the collection of sensitive biometric data and the use of 3D game engines. Based on these findings, the authors provide recommendations for improving the security and privacy of VR apps, including setting proper secure flags, enabling root detection, using secure encryption methods, and adapting privacy policies to address new VR features. The paper concludes with a discussion of limitations and threats to validity, emphasizing the need for further research and development in this area.This paper presents an empirical study on the security and privacy of Oculus Virtual Reality (VR) applications. The authors develop a security and privacy assessment tool, the VR-SP Detector, which integrates static analysis tools and privacy-policy analysis methods. The tool is used to analyze 500 popular VR apps from the Oculus and SideQuest app stores, focusing on security vulnerabilities and privacy data leaks. Key findings include a high prevalence of security vulnerabilities such as root detection issues and insecure random generators, as well as significant privacy leaks and inconsistencies in privacy policies. The study also highlights the unique challenges of VR apps, such as the collection of sensitive biometric data and the use of 3D game engines. Based on these findings, the authors provide recommendations for improving the security and privacy of VR apps, including setting proper secure flags, enabling root detection, using secure encryption methods, and adapting privacy policies to address new VR features. The paper concludes with a discussion of limitations and threats to validity, emphasizing the need for further research and development in this area.