So, you’ve implemented a DRM solution into your premium playback app. The world-class content your application will provide is safe and secure, and only authorized viewers can gain access. Right? Not quite.
Until fairly recently, content owners mainly mandated that their valuable video assets be protected by DRM security solutions on third-party applications—but times are changing. As technology evolves, cyberattacks become more sophisticated and piracy is no longer the only issue that rights owners need to worry about. Once DRM has done its job to deliver secure, authorized viewing experiences, the user’s device still presents a risk.
Content protection solutions like DRM have long been advocated, but revenue protection increasingly means going further. The apps being deployed by streaming services are as much a part of the ecosystems as the servers they connect to, and they must be protected as well.
Verimatrix performed an assessment of 14 popular Android media applications to better understand the state of streaming app security. The alarming results are published in our eBook, “Media App Vulnerabilities Exposed.” I sat down with Neal Michie, Verimatrix’s Director of Product Management, to unravel the data and gain more insight about the story behind the results.
Q: The results of Verimatrix’s assessment show that only 7% of the tested streaming apps achieved baseline protection level. Why do you think security for media apps is often overlooked?
A: It’s easy to say “naivety,” but I think that would be unfair to the very bright people working in security at media organizations. I think the reality is that mobile app security falls into a gap. Traditional risk/security teams are focused on back-end security, while mobile development teams often believe that their DRM solution is enough protect the content – and it is. But content isn’t the only asset that needs protecting in a streaming app, although it may be the most obvious.
The trouble is that with no outside factor pushing the media app owners to look at app security, it often gets missed until it is too late.
Q: What is the biggest misconception that developers have about streaming app security?
A: The biggest misconception developers have about streaming app security is that DRM is enough. It’s not. DRM is more secure if it can’t be isolated from the rest of the app.
Any attack will start with reverse engineering (understand the app to be attacked). Reverse engineering is a lot easier if you can quickly identify and isolate interesting part of the software. An attacker can then focus on the code that is of interest and ignore the rest.
It’s also important to realize that a lot of data and valuable intellectual property exists in these apps beyond the content stream. Streaming apps also house payment information, personal data, code language and company secrets. Protecting all of these assets is critical to safeguarding revenue and maintaining customer trust.
Q: What kinds of new protections are content providers demanding when it comes to OTT video apps? What can app developers do to achieve compliance quickly?
A: Content providers are very keen that their content isn’t pirated—understandably so, since they spend a lot of money creating it. Providers have well-resourced security and risk teams that analyze their ecosystem in its entirety. They are trained to spot gaps and vulnerabilities, and they tighten their mandates when they see a risk.
So far, mandates typically come from individual studios rather than MovieLabs or other regulatory organizations; and content owners seem to view all platforms as equal risk.
These mandates typically take the form of “Robustness Rules,” which are technical conditions that a licensee (e.g. app developer or service provider) must satisfy. Robustness Rules typically require implementations that make it difficult to crack layers of security within the system. This takes the shape of commercial Obfuscation and Environmental Checks, two security methods that protect code, APIs, data, and other valuable assets within the app.
In a perfect world, it would be possible to reference an exact and unchanging set of requirements for different terms (e.g. release window, content quality level, network type, client device type, usage rules). Unfortunately, this isn’t the case. Ambiguities and subtleties about security technologies abound, and they change over time.
What we do know is that studios’ release windows are shrinking due to various market pressures and current events (such as COVID-19 and the shutdown of many theaters), while playback quality and bandwidth are increasing. This has led to a general tightening of security mandates. The earlier the release, the more valuable the content and the more stringent the security requirements.
Q: Do you think new security mandates required by studios will be enough of a push to protect streaming apps?
I’m an optimist, so, yes I do. We’ve seen in other industries that when security standards are well defined and a there is consistent requirement to follow them, then they get near universal adoption.
This has proven good for these industries. Everyone’s responsibilities are clearly defined, there is level playing field for all participants, and one poor implementation doesn’t damage the industry’s reputation for everyone.
Q: Through your conversations with app developers, do you feel they are aware of these mandates and the tools available to them?
A: Short answer: no. And if developers are aware of the mandates and the tools available, it is only a superficial awareness. In fact, if you ask many developers whether they protect their apps, their understanding of what constitutes “protection” is much different than that of a security officer, CTO, or CISO.
When a security professional asks whether an app is protected, what they really want to know is whether an app is safe from reverse-engineering. When an app developer says that an application is protected, they often mean that they have employed the free tools that come with Android Studio. However, these tools are described in the Android community as “optimizers” rather than “protectors.” What’s more, these tools do little to prevent a hacker attempting to reverse-engineer app code—they merely present a small hurdle.
Q: What’s the most surprising thing you found during the security assessment of 14 popular streaming apps?
A: What surprised me most was that many apps aren’t even employing the free tools (such as Proguard and R8) that come with the development kits. The usage rate for these free security tools was below mobile development norms! While the protection offered is minimal, it is better than nothing; and given that the cost to enable these tools is zero, it seems negligent not to turn them on. The time and effort it takes to configure these tools is negligible – typically this task would take about half a day for most apps – so there is really no excuse to not use them.
Q: How did Verimatrix and UL develop the grading scale used in the security assessment?
A: It is often difficult to quantify cybersecurity since it is a complex issue consisting of many layers, factors, and possible attack vectors. To help businesses assess their security measures, Verimatrix initially developed the app security grading scale as part of an investigation into the state of mobile banking security (you can view the eBook here).
During our research, we found that the best standards for app security were the ones put forth by Visa and Mastercard for mobile payment security. Their standards are high, yet practical and well-defined, which means that the implementor isn’t required to dedicate excessive time and resource to unpacking each regulation. We used their standards as an example of good practice, which roughly equates to a B grade on the Verimatrix /UL scale.
Read the eBook to Learn How to Reduce Media App Vulnerabilities
The new eBook, “Media App Vulnerabilities Exposed,” discusses Verimatrix’s findings at length and offers practical solutions to ensure that premium playback apps are secure. As media app usage skyrockets and cyberattacks become more sophisticated, it is imperative to protect more than just the content. Download the eBook to learn more and enhance your security approach.