So, you’ve implemented a DRM solution into your premium playback app. The world-class content your application will provide is safe and secure, and only authorised viewers can gain access. Right? Not quite.
Until fairly recently, content owners mainly mandated that their valuable video assets be protected by DRM security solutions on third-party applications—but times are changing. As technology evolves, cyberattacks become more sophisticated and piracy is no longer the only issue that rights owners need to worry about. Once DRM has done its job to deliver secure, authorised viewing experiences, the user’s device still presents a risk.
Content protection solutions like DRM have long been advocated, but revenue security increasingly means going further. The apps being deployed by streaming services are as much a part of the ecosystems as the servers they connect to, and they must be protected as well.
Verimatrix performed an assessment of 14 popular Android media applications to better understand the state of streaming app security. The alarming results are published in our eBook, ‘Media App Vulnerabilities Exposed’. Here are a few key takeaways:
Only 7% of the streaming apps we tested achieved baseline protection level.
Mobile app security falls into a gap. Traditional risk/security teams are focused on back-end security, while mobile development teams often believe that their DRM solution is enough to protect the content – and it is. But content isn’t the only asset that needs protecting in a streaming app, although it may be the most obvious.
The trouble is that with no outside factor pushing the media app owners to look at app security, it often gets missed until it is too late.
The biggest misconception about streaming app security is that DRM is enough.
It’s important to realize that a lot of data and valuable intellectual property exists in these apps beyond the content stream. Streaming apps also house payment information, personal data, code language and company secrets. Protecting all these assets is critical to safeguarding revenue and maintaining customer trust.
Content providers are demanding new protections when it comes to OTT video apps.
New mandates required by content providers typically take the form of ‘Robustness Rules’, which are technical conditions that a licensee (e.g. app developer or service provider) must satisfy. Robustness Rules typically require implementations that make it difficult to crack layers of security within the system. This takes the shape of techniques like Obfuscation and Environmental Checks, two security methods that protect code, APIs, data, and other valuable assets within the OTT app.
In a perfect world, it would be possible to reference an exact and unchanging set of requirements for different terms (e.g. release window, content quality level, network type, client device type, usage rules). Unfortunately, this isn’t the case. Ambiguities and subtleties about security technologies abound, and they change over time.
What we do know is that studios’ release windows are shrinking due to various market pressures and current events (such as Covid-19 and the shutdown of many cinemas), while playback quality and bandwidth are increasing. This has led to a general tightening of security mandates. The earlier the release, the more valuable the content and the more stringent the security requirements.
Many streaming apps aren’t even employing security tools that are freely available.
During our research, the usage rate for free security tools was well below mobile development norms! While the protection offered by these tools is minimal, it is better than nothing; and given that the cost to enable these tools is zero, it seems negligent not to turn them on. The time and effort it would take to configure these tools is minimal – typically this task would take about half a day for most apps – so there is really no excuse to not use them.
We recently published an ebook that discusses our findings at length and offers practical solutions to ensure that premium playback apps are secure. Download a copy here.