Neal Michie
Verimatrix
A digital rights management (DRM) solution alone simply doesn’t do the trick when it comes to premium playback apps. Cyberattacks are becoming increasingly advanced and although the DRM has delivered secure viewing experiences, the user’s device still presents risks.
Apps are often thought of as an extension of the business thus leaving security for them on the back burner. In fact, more often than not developers and security officers have very different understandings of the word “protection” and security mandates are not always understood.
Verimatrix performed an assessment of 14 popular Android media applications to better understand the state of streaming app security. The full results are published in the ebook, “Media App Vulnerabilities Exposed,” But we wanted to share some of the highlights and insights about the story behind the results.
Q: The results of Verimatrix’s assessment show that only 7% of the tested streaming apps achieved baseline protection level. Why is security for media apps often overlooked?
A: It’s easy to say “naivety,” but I think that would be unfair to the very bright people working in security at media organizations. I think the reality is that mobile app security falls into a gap. Traditional risk/security teams are focused on back-end security, while mobile development teams often believe that their DRM solution is enough to protect the content – and it is. But content isn’t the only asset that needs protecting in a streaming app, although it may be the most obvious.
The trouble is that with no outside factor pushing the media app owners to look at app security, it often gets missed until it is too late.
Q: What is the biggest misconception that developers have about streaming app security?
A: The biggest misconception developers have about streaming app security is that DRM is enough. It’s not. DRM is more secure if it can’t be isolated from the rest of the app.
Any attack will start with reverse engineering (understand the app to be attacked). Reverse engineering is a lot easier if you can quickly identify and isolate interesting parts of the software. An attacker can then focus on the code that is of interest and ignore the rest.
It’s also important to realize that a lot of data and valuable intellectual property exists in these apps beyond the content stream. Streaming apps also house payment information, personal data, code language and company secrets. Protecting all of these assets is critical to safeguarding revenue and maintaining customer trust.
Q: What kinds of new protections are content providers demanding when it comes to OTT video apps? What can app developers do to achieve compliance quickly?
A: Content owners are very keen that their content isn’t pirated—understandably so, since they spend a lot of money creating it. Content producers have well-resourced security and risk teams that analyze their ecosystem in its entirety. They are trained to spot gaps and vulnerabilities, and they tighten their mandates when they see a risk.
So far, mandates typically come from individual studios rather than MovieLabs or other regulatory organizations; and content owners seem to view all platforms as equal risk.
These mandates typically take the form of “Robustness Rules,” which are technical conditions that a licensee (e.g., app developer or service provider) must satisfy. Robustness Rules typically require implementations that make it difficult to crack layers of security within the system. This takes the shape of commercial obfuscation and environmental checks, two security methods that protect code, APIs, data, and other valuable assets within the app.
In a perfect world, it would be possible to reference an exact and unchanging set of requirements for different terms (e.g., release window, content quality level, network type, client device type, usage rules). Unfortunately, this isn’t the case. Ambiguities and subtleties about security technologies abound, and they change over time.
What we do know is that studios’ release windows are shrinking, or in some cases completely removed, due to various market pressures and current events (such as COVID-19 and the shutdown of many theaters), while playback quality and bandwidth are increasing. This has led to a general tightening of security mandates. The earlier the release, the more valuable the content and the more stringent the security requirements.
Q: Will the new security mandates required by studios be enough of a push to protect streaming apps?
I’m an optimist, so, yes, I do. We’ve seen in other industries that when security standards are well defined and there is a consistent requirement to follow them, then they get near universal adoption.
This has proven good for these industries. Everyone’s responsibilities are clearly defined, there is a level playing field for all participants, and one poor implementation doesn’t damage the industry’s reputation for everyone.
Q: Are app developers aware of these mandates and the tools available to them?
A: Short answer: no. And if developers are aware of the mandates and the tools available, it is only a superficial awareness. In fact, if you ask many developers whether they protect their apps, their understanding of what constitutes “protection” is much different than that of a security officer, CTO, or CISO.
When a security professional asks whether an app is protected, what they really want to know is whether an app is safe from reverse-engineering. When an app developer says that an application is protected, they often mean that they have employed the free tools that come with Android Studio. However, these tools are described in the Android community as “optimizers” rather than “protectors.” What’s more, these tools do little to prevent a hacker attempting to reverse-engineer app code—they merely present a small hurdle.
Q: What’s the most surprising finding from the security assessment of popular streaming apps?
A: What surprised me most was that many apps aren’t even employing the free tools (such as Proguard and R8) that come with the development kits. The usage rate for these free security tools was below mobile development norms! While the protection offered is minimal, it is better than nothing; and given that the cost to enable these tools is zero, it seems negligent not to turn them on. The time and effort it takes to configure these tools is negligible – typically this task would take about half a day for most apps – so there is really no excuse to not use them.
Q: How did Verimatrix and UL develop the grading scale used in the security assessment?
A: It is often difficult to quantify cybersecurity since it is a complex issue consisting of many layers, factors, and possible attack vectors. To help businesses assess their security measures, Verimatrix initially developed the app security grading scale as part of an investigation into the state of mobile banking security (you can view the eBook here).
During our research, we found that the best standards for app security were the ones put forth by Visa and Mastercard for mobile payment security. Their standards are high, yet practical and well-defined, which means that the implementor isn’t required to dedicate excessive time and resources to unpacking each regulation. We used their standards as an example of good practice, which roughly equates to a B grade on the Verimatrix /UL scale.
For the complete assessment findings and tactical solutions to ensure security in premium playback apps download the eBook: “Media App Vulnerabilities Exposed.” As media apps become increasingly popular and cyberattacks become more sophisticated, it is imperative to assess app security.
