Lu Bolden
Lu Bolden
Sep 25, 2020

Buy vs. Build Multi-DRM?

Digital rights management (DRM) is the first line of defense for OTT video piracy prevention. It ensures content is encrypted, whether in storage, transit or delivery, and delivers the right key and content ID to authenticated users for their playback environment. 

Core DRM logic manages authentication, trust verification and key exchange, which is supported by a DRM client and secure player. The client manages entitlements, device integrity and output control, such as HDCP enforcement to secure all video delivered.

Of course, different devices and browsers use different DRMs, e.g. Widevine (Google), PlayReady (Microsoft) and Fairplay (Apple). Since streaming services are app-based, they are all inherently multi-device and therefore need to manage multiple DRMs that are native to each device type.

Managing multiple DRMs requires a continual cycle of ongoing device, formats and operating system patches and updates. Developing your own centralized security platform and running a whole dev team exclusively devoted to this is a large undertaking. 

Take for example, a leading global end-to-end video delivery provider that currently spends approximately 3% of its R&D budget to manage its multi-DRM solutions and this does not include ongoing support. Throw any kind of issue in there and the time and money spent internally will far exceed the fees a vendor will charge. 

Security companies have the expertise and capacity to provide a scalable approach to multi-DRM management. The streaming world is not one of large margins. The ability to efficiently and effectively cover DRM needs across platforms can be outsourced by choosing a vendor based on price, feature, reputation and complexity of services. Regardless of how you select a vendor, going this route will always be far more secure, easier to implement and more cost effective. 

The total cost of ownership to run a security department will take time and resources away from your business’s core competency and unless there’s a very specific reason for doing this, the number’s just don’t add up. 

App Hijacking Dangers

Media apps offer a wealth of opportunity for pirates. The key objective is to prevent the app from being used as an illicit entry point. Media apps are an access point for at least half a dozen different types of illegal activity! 

Application vulnerabilities

App repackaging, or cloning, is currently one of the most common attacks. Android is especially prone to this, as one study analyzed 1.7 million free Android apps and found less than 25% had used any kind of code obfuscation – meaning their app can be read, copied and manipulated very easily. Adding to this, the percentage of apps using robust application shielding beyond simple obfuscation is significantly smaller.

Further research from this study showed the majority of respondents of 70 participating developers failed to protect a sample app, and many believed they had actually done so. Very popular apps with 10 million + downloads used obfuscation only 50% of the time. Not great odds. 

It is now essential to protect streaming apps, as well as the video content being delivered. Without sufficient code protection, any app can be reverse engineered, essentially creating a clone, with a varying intentions: 

Stealing revenue:

  • An illegal copycat app can be created to sell subscriptions, except subscription revenue goes to the hackers. 
  • Hackers may choose to run their own advertising on the content, where the ad revenue again goes to them.

 Stealing data:

  • The app can install malicious code, logging passwords, or other confidential/personal information.
  • Hackers may go after user data stored in backend databases.
  • Ability to replicate credentials may also create an access point into other corporate data.

Stealing content:

  • The content from within the app can be redistributed. Real credentials are used to logon and then a cloud recorder can capture and push the content elsewhere to be restreamed. 

API vulnerabilities

Use of APIs has empowered devices to make requests from backend services, replacing the previous practice of backend processing occurring in near-isolation behind a trusted security perimeter with all external access being highly controlled. The resulting API use may inadvertently provide unchallenged access to what is supposed to be secure data. 

API and other code vulnerabilities have exposed massive amounts of data at a number of companies according to Identity Force, an identity protection provider. In 2020 alone, leading companies have had data breaches from websites and apps, including Microsoft, MGM Resorts, T-Mobile, GE, and U.S. law enforcement agencies.

As the security perimeter has widened based on software development styles and approaches, application shielding has become a key part of today’s security strategy. This is about prevention and more importantly, maintaining the brand reputation you worked so hard to build with your customers. 

Emerging video app requirements

Movie studios are starting to mandate app security in their licensing contracts, the same way they do with DRM, which have two components:

  • Obfuscation – to make code difficult to read and understand, which protects it from static analysis.
  • Environmental checks – to ensure the app is only running on a trusted device and hasn’t been sideloaded elsewhere.

Operators can take this a step further. In order to trust that the code base is executing as intended by the developer, operators can also implement anti-tamper technology. Using anti-tamper, any attempt by an attacker to circumvent security measures or otherwise modify code, will be blocked. This greatly increases the security level of the whole app.

By differentiating mobile video apps with application shielding techniques, you can demonstrate you are using best practice to protect content. Therefore, you can gain access to a larger and better content library than your competition and thus, help grow your business.

This is Part II of a five-part series dedicated to helping streaming service providers understand where their security vulnerabilities exist and what security methods will best protect, and ultimately enhance, their businesses in the most cost-efficient manner. Revisit Part I here.