I remember being told back in the year 2000 that broadband internet would allow TV quality video to be downloaded in real time. While the term “streaming” had yet to be coined and I knew nothing of the complexities of Hollywood content licensing, the idea of movies and TV on demand seemed very appealing.
Fast forward 20 years and this idea is now reality. We stream content to all sorts of devices: PCs, tablets, mobile phones, smart TVs and set-top boxes. Most of us can’t even imagine waiting out the COVID-19 pandemic without Netflix for entertainment.
Getting technical, what’s required to secure over the-top (OTT) video content to these devices?
Digital rights management (DRM) is the starting point. When handling highly valuable digital content, DRM is a requirement. Solutions, like Verimatrix’s Multi-DRM, ensure that only entitled users can view content across multiple devices. This is achieved through a cryptographic scheme that involves encrypting content when it is stored and transmitted. To be able to play back the content, the client software must first ask the DRM server for the encryption key. Only after validating the user and device, will the server provide the key to the device and playback can begin.
For Hollywood content, MovieLabs publishes the security requirements for content distribution. However, the organization is careful not to make functional or implementation requirements – that is left to the implementor. This means there are many DRM schemes, but in practice most content is distributed using three major protocols: Google’s Widevine, Apple’s FairPlay and Microsoft’s PlayReady.
When building their video apps, video service providers have the option to use the native DRM (i.e. provided by the operating system) or to use a third-party implementation embedded into their app. There are pros and cons to both ways, but it’s beyond the scope of this blog to go into those details.
Are there specific security requirements for mobile apps that stream video content?
We are now seeing movie studios starting to mandate software security requirements on the wider mobile app. Failing to meet these requirements will limit the content available to the service provider. These new requirements make a lot of sense as protecting individual components is good, but tightly binding them into the rest of the app context is much better.
Mandating security on the whole app is an approach that Verimatrix has experienced working to great effect in the payments industry.
In fact, this is something forward-thinking service providers are already doing. While recognizing the wider security benefits, they also believe that going beyond the minimum requirements strengthens their relationship with content owners.
The software security requirements that are starting to be mandated have two components:
- Obfuscation – Makes code difficult to read, and understand, which protects it from static analysis.
- Environmental Checks – Ensures the app is only running on a trusted device and hasn’t been sideloaded elsewhere.
But operators can take this a step further. In order to trust that the code base is executing as intended by the developer, operators can also implement Anti-Tamper technology. Using Anti-Tamper, any attempt by an attacker to circumvent security measures or otherwise modify code, will be blocked. This greatly increases the security level of the whole app.
With the approaches discussed in this blog, your app won’t just be ready to accept content today, but it will be future proofed to deal with the emerging new and enhanced security requirements. By differentiating your mobile apps with smart software shielding techniques, you can demonstrate you are using best practice to protect content. Therefore, you can gain access to a larger and better content library than your competition and thus, help grow your business.
Verimatrix’s Software Shielding tools and cloud services more than meet these security requirements. They also embody our Friendly Security principles that ensure they can be applied quickly and easily with minimal impact on development teams and schedules.
Contact us to learn more about how we can help secure, and therefore differentiate, your video mobile app.