Ensuring Secure Streaming from Backend to App: A Holistic Approach to Protect User Data, Content, and Service Infrastructure in OTT and PayTV Services

Evaluating Streaming Security

Streaming providers face multiple cybersecurity threats, from content pirates to malware and exploits. Unfortunately, traditional content protection alone isn’t enough anymore. Advances in tooling for hackers make it easier to deploy malware and compromise device hardware, operating systems, applications, and services.

To address these challenges, service providers must acknowledge the risks associated with their backend and app infrastructure and embrace a security-first mindset. It’s essential to recognise that certain threats cannot be entirely eliminated, such as insecure endpoints (e.g., devices and apps). Equally crucial is the development and documentation of a security concept aimed at limiting the “blast radius” of potential exploits. Therefore, embracing the principles of the zero-trust security model is imperative to prepare adequately for the statistically inevitable worst-case scenario. The goal is not only to raise the cost and complexity of an attack but also to curtail its effectiveness and value by limiting the data that can be extracted.

A robust security approach entails analysing the entire service for potential vulnerabilities and data exfiltration targets, and tailoring defenses to safeguard valuable data effectively. A video streaming platform usually manages personal information, billing details, and user profiles, alongside instructions for accessing premium content through a CDN and obtaining DRM licenses for decryption. Consequently, potential threats range from malware attempting to steal personal information and account credentials to unauthorised users seeking to download extensive content, extract decryption keys, and access decrypted material.

Backend-Based Defenses and Mitigations

Several threats can be mitigated through backend protection measures. For instance, credit card information shouldn’t be accessible via APIs, even for the authenticated account owners. Applications should avoid local storage of personal or sensitive data, including API keys. Such information should be dynamically fetched from backends. These backends should assess the trustworthiness of devices, potentially limiting data access and requiring re-authentication for sensitive information, ideally utilising biometrics or a One-Time Password (OTP).

Additional (but not exhaustive) strategies include:

• Employ a Two Factor Authentication and replace username/password combinations with logins via trusted external identity providers. These measures reduce the effectiveness of stolen credentials in attacks.
• Ensuring that post-login API authentication tokens are short-lived, replay-protected, and encrypted in storage. They must be associated with device-managed keys. For enhanced content access security, one must employ hardware-backed keys. The service must monitor cryptographic key identities tied to devices to detect potentially stolen key data being used in unusual situations. Techniques like OAuth DPoP or mutual TLS cryptographically tie authentication tokens to the requesting device, reducing the potential for exploiting stolen API access tokens.
• Implementing fine-granular control over content access based on title and quality level (limiting quality according to device security guarantees), linked to active playback sessions (revoking access across all systems when playback stops), limited in concurrency, and geo-fenced.
• DRM protection with different keys for each rendition quality, coupled with a session-based forensic watermark for identifying leaks and device information. Ideally, this watermark should be placed at the CDN level to prevent manipulation and exploitation.

Combining all mentioned backend-based defenses offers a comprehensive set of controls that significantly contribute to a zero-trust architecture. For attackers, this could lead to increased value in reverse engineering an app. To counter this, employing code obfuscation and anti-debugging tools becomes crucial to heighten the challenge. However, hackers could still obtain working credentials and potentially pirate content. This remains an inevitable threat, underscoring the need to apply the zero-trust security model to both devices and apps, assuming them as intrinsically untrustworthy.

App and device-based defenses and mitigations

Only a few of the previously mentioned threats directly concern the app or device, most of those falling into one of two categories:

1. Malware extracting user data like account credentials (e.g. via keyloggers)
2. Pirates reverse engineering and manipulating the app or device to gain access to content, decrypt it, and potentially tamper a forensic watermark.

Malware attacks usually happen remotely on devices in the field. Attackers rely on social engineering, Android version exploits, or specific device vulnerabilities to intrude, perform privilege escalation, access an app, or launch man-in-the-middle attacks. There are different tools and strategies available to mitigate various attack vectors for apps and devices, which include:

• Encryption and cryptographic proofs to protect data from direct access and manipulation. Great care in handling key material, preferably locking private keys into hardware modules.
• The device, app, and key attestation. Provides a comprehensive security status determined through cryptographic signatures of the code the device runs and whether signatures are trusted, from the earliest boot code all the way up to the app.
• Hardware-backed keys and Secure Execution Environments. Keep sensitive data confidential in a “secure world”, physically or at least logically (in terms of CPU cores) separated from the OS and application code.
• Classifying devices and apps based on their security guarantees and security patch levels, while denying or limiting access to sensitive data/valuable content based on that classification.
• Malware scanners and intrusion detection.
• Traditional software security like code signing, code obfuscation, anti-debug measures, self-monitoring and self-repairing code, emulation detection, whitebox cryptography, etc. For the utmost security, critical parts of an app should be written in native code. Unfortunately, this approach has limitations as code modifications from security solutions merely complicate reverse engineering without providing secure memory locations. Any software security solution ultimately tries to conceal secrets in plain sight of attackers, enabling determined attackers always to succeed, especially given the array of hacking tools available.
• Cloud-based app security and monitoring services through SDKs. While additional data enhances accuracy, incorporating third-party capabilities also enlarges the attack surface, possibly introducing vulnerabilities and supply chain risks. This also fosters similarity between apps, increasing susceptibility to exploits. Before integrating third-party services to augment security, providers must balance value and risk.

Based on the previous discussion, a backend with a solid security and authentication architecture can reduce the attack surface of the app environment to media playback only, because there simply is no other secret valuable (long) enough left on the device. Still, it’s best practice for any app to use as many of the app-based defenses as possible to protect any secret or sensitive information, however short-lived it is.

Conclusion

In the realm of OTT/PayTV services, the path to security requires a multidimensional strategy. By creating a holistic approach and cultivating a zero-trust model, streaming providers can craft a robust shield against cyber threats and piracy. Device attestation, encryption, and vigilant monitoring combine forces to thwart attacks and mitigate vulnerabilities. In the perpetual journey towards secure streaming, providers must rethink how they guard their digital ecosystems to offer right holders and viewers an experience founded on trust, resilience, and uncompromised quality.