15

What opportunities are there for regular app developers (with that I mean, you're not a million dollar content producing company or distribution channel provider, but a regular, small app development company) to secure video/audio content for the app from being saved/distributed. I mention the 'regular developer', because I had seen in the Android core code that Sony had added some code portions into it, in the DRM packages. Let's assume we're not that powerful to talk to Google to include such in their core code.

Are there any real secure ways to protect video/audio (as part of an app) on Android.

Assumptions (correct me if I'm wrong):

  • devices could be rooted by the users, need to be aware of that
  • detection whether a device is rooted or not (within an app) is not really possible on Android, as a super user can basically fake any state of the device.
  • we cannot modify any hardware or the user's system (meaning: we don't bundle our app product with a device, the app should be available as a 'regular' app on the App Market for download)
  • the media files/stream could be locally on the device or come remotely from a server, both is ok

I have researched this topic quite a bit, googled a lot, went through (hopefully) all related questions here on SO, I have talked to one DRM provider (which is really hard to get in touch with as a small company or freelance developer, or at least to get some real relevant information, technical docs and details).

I looked into DRM as one approach, but "security-by-obscurity" does not seem to be a very good way. Besides, I haven't found any information or real solutions/APIs for regular developers.

Public-key encryption was another idea, but where to store the private key really safely? Furthermore, I assume that in such case, the entire media framework & player would need to be rewritten, in order to pass a secure video stream to the player. Or am I mistaken?

I would like to get some opinions from other experienced developers in the field, as it's really hard to find information about media content protection for Android anywhere.

Update:

In the context of my question, I found this Question and it's update interesting: Streaming to the Android MediaPlayer

Community
  • 1
  • 1
Mathias Conradt
  • 28,420
  • 21
  • 138
  • 192

2 Answers2

10

Are there any real secure ways to protect video/audio (as part of an app) on Android.

If by "secure", you mean "fullproof", then no. See Analog hole.

detection whether a device is rooted or not (within an app) is not really possible on Android

Nor is it possible anywhere. the laws of the universe make it impossible to detect such a thing, (okay, maybe you could exploit quantum physics for this, but even then I'm not sure) you can only add code to detect known techniques, all of which are trivial to bypass.

Public-key encryption was another idea, but where to store the private key really safely?

There is nowhere to store it safely. Think about it, you want to encrypt content and give the user the key to decrypt it (so he can watch it), but you don't want him to be able to decrypt it (so he can't copy it). This is a contradiction.

The most you can do is encrypt your stream to prevent the user from being able to just intercept it and use it. Then obfuscate the code that decodes/plays the stream. Though by implementing that you risk introducing more bugs (and worse performance), making the legitimate user's experience worse. If decide not to roll your own obfuscation, and use some automatic obfuscater product already available by some big company, it will already be generically cracked, and it will be extremely easy for someone who hardly knows what he's doing to crack your product in a small amount of time. As long as your product becomes remotely popular, one person is going to crack it and upload all the videos to torrent, then everyone will be able to pirate your product without doing any work.

L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳
  • 12,464
  • 4
  • 50
  • 55
  • As an aside, I'd like to point out that some phones with NFC will likely have a programmable secure element, so there *might* (pretty big might here) be a way in the future to do DRM. Right now, you're stuck with software (inherently insecure). – Delyan Oct 02 '11 at 20:32
  • @Delyan: What makes hardware protection any more "secure"? The fact that it's about 1000 times more obscure? – L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳ Oct 06 '11 at 01:40
  • Well, "secure" as in "takes thousands of dollars worth of equipment to even begin cracking it". It does raise the barrier to a much, much higher level but, in the end, you are right. It's just a nearly insurmountable level of obfuscation. The fact of the matter is, if it does indeed become mainstream, DRM would be unbreakable to 99% of the people breaking the current methods. Which is, I suppose good enough for the companies in question. – Delyan Oct 06 '11 at 02:31
  • In this context of my question, I found this Question+it's update quite interesting: http://stackoverflow.com/questions/2511045/streaming-to-the-android-mediaplayer – Mathias Conradt Oct 11 '11 at 13:49
0

I don't think there is a solution to protect media content in apps from being ripped off. DRM is of course not suitable for regular developer. I don't see also why public key can help.

jcisio
  • 509
  • 1
  • 7
  • 17
  • Thanks for you reply. Did you mean "I don't see also why public key CAN'T help." or "can"? Sorry, I didn't get your last past part. Do you think public-key is a way? If so, where to store the private key safely? – Mathias Conradt Oct 02 '11 at 08:07