3

I wanted to get some solutions for protecting on-demand media for copyrights and prevent users from downloading files directly like Spotify. What structure would you recommend? What are the requirements?

Matin Zadeh Dolatabad
  • 877
  • 6
  • 20

1 Answers1

4

There is no reliable way to stop people copying streamed media - it has to be sent to the device to play so is possible to capture and copy. Even if it is obfuscated, there are tools available to capture the media streams.

To counter this, the usual approach is to encrypt the media stream - this way the captured media cannot be played without the correct key. Most media encryption uses some form of AES.

In the (hopefully) unlikely event that someone finds a way to crack AES in the near future, its likely that pirating media will be fairly low on their exploit list, given the wide use of AES across industries, government etc.

You still need some secure way of getting the key from the server to the clients, only to those clients who are entitled to watch it, and if a manner that does not allow the client to view the decryption key itself (or else they could just copy it).

This is one of the key functions that DRM solutions provide - the most common being Google's Widevine, Microsoft's PlayReady and Apple's FairPlay, although others do exist also.

So, if you view the media security as hurdles, you might consider techniques like these, in touch order of effort/protection:

  • user authentication to access the page/server
  • obfuscate the media url to make it harder to copy
  • signed urls to limit access to certain users (with consideration of how this may impact any CDN or caching strategy)
  • encrypted files with keys hardcoded on client or passed out of band somehow
  • encrypted files using DRM and the devices secure media path, when this is available (you can usually skip most of the above other than authentication if using DRM, although some implementations will combine or use multiple hurdles together)

It's worth bearing in mind what your end goal is - if the media is a high quality entertainment or sports, then these techniques are usually worth the investment to prevent/deter piracy.

If your audio or video will contain 'secret' information you don't want shared then you also need to remember that someone can point a camera or a microphone at the player device and capture it that way. It may not be great quality, so less useful for piracy use cases. At this point the focus usually turns towards identifying the source of the leak, using techniques like forensic watermarking - i.e. embedded invisible/inaudible audio and video watermarks to allow a leak be traced.

Mick
  • 24,231
  • 1
  • 54
  • 120
  • Do you have any article about how to encrypting them with AES? – Matin Zadeh Dolatabad Mar 21 '21 at 12:26
  • 2
    See https://stackoverflow.com/a/45103073/334402 and https://stackoverflow.com/a/46897097/334402 – Mick Mar 21 '21 at 12:35
  • Is this same for audio files? @mick – Matin Zadeh Dolatabad Mar 22 '21 at 13:45
  • 1
    Yes, the manifest files can encrypt multiple audio and video tracks - if you look at the second link above there is audio include in the example. – Mick Mar 22 '21 at 14:07
  • Is there any android or ios client for these DRMs? – Matin Zadeh Dolatabad Mar 23 '21 at 15:09
  • 2
    The DRM's are actually built in as standard to all iOS and most Android phones - FairPlay DRM for iOS and Widevine DRM for Android. There may also be other DRM's present, often with a lower level of security not tied in to the HW on the device, but the above are the defaults. If you look at the Exoplayer demo on GitHub you can see examples of playback of DRM streams in ExoPlayer on Android. – Mick Mar 23 '21 at 15:14