In-app Protection tools are crucial to the success of any media or entertainment app. Without them, the valuable content being streamed to the mobile device is at risk; but did you know that the need to protect the mobile app goes much further?
It is safe to say that virtually all media apps use some form of content protection. The video content they provide to their users is simply too valuable to be left open to pirates. Content protection is a requirement for doing business; and in most cases the content protection comes from off-the-shelf solutions like Verimatrix Multi-DRM.
Internally, these content protection solutions use In-app Protection tools – like Verimatrix Shielding – to protect themselves from reverse engineering and to keep their precious data safe from hackers.
With the content protected, why should the developer bother using protection tools on the rest of the code base? Very simply, the media content is not the only valuable asset within the app.
GDPR and CCPA are part of a global trend to increase our privacy rights. If an app is collecting, processing or storing any personal data – and let’s be honest, all apps are - then it comes into scope of the regulations. If payments are being taken through the app then extra requirements like PCI-DSS and PSD2 come into play.
These requirements are nothing to be scared off. They basically require that you take sensible steps, in line with industry best practise, to protect the information. When that data is within a mobile app, the best way to protect the data is to protect the app.
Trusted Server Access
No media app works in isolation. They have to retrieve the content from back-end systems. These systems are designed to only provide content to entitled users and trusted apps. The back-end exposes APIs – internet doors – to give apps and user access to systems, services and information. Only trusted apps and users should be allowed through these doors.
Unfortunately, the only source of decision making for the back-end is the information it receives through the APIs. If the information can be falsified, then the back-end will make the wrong decisions – potentially allowing untrusted or unauthorised access.
Probably, the most high profile example of this is password sharing. This is becoming an increasing concern to streaming companies who are looking to protect revenue streams and crackdown on freeloaders. The way to do this is to make it harder to falsify the information being entered into the mobile app using Strong Authentication methods.
Also, we increasingly see hackers reverse engineering apps to learn how they authenticate themselves with back-end systems. This allows the attacker to send requests to the back-end that appear to come from a trusted and legitimate app. Attackers use this approach to attack back-end systems through their own APIs. App Protection Tools make the apps much harder to reverse engineer by shielding their internals and so can prevent attacks on back-end systems.
In many cases, the app is also the guardian of the service’s business model – ensuring the content is viewed in the manner intended. User’s often feel entitled to a better experience and will find ways to self-upgrade.
For example, it is common to offer a free or lower cost subscription that allows content only to be viewed on small mobile phone screens. If the user wishes to view the content on a larger screen (i.e. a TV) then there are additional costs. There are plenty of discussions on online forums of users Side Loading an Android mobile app onto an Android SmartTV to circumvent those additional costs.
Another common attack on the app is to remove adverts. This only works for client-side insertion, but it is common to see repackaged versions of popular media apps on third-party app stores offering “advert free viewing”. As the adverts go, so does the revenue stream.
The correct use of software Protection Tools can ensure apps only run trusted devices and stop repackaging attacks.
Verimatrix Shielding is used by our customers to protect all these assets and many more. To learn more about how our application protection tools can smoothly integrate into your development process for mobile or set-top box apps read our Shielding for Media Apps flyer.