Confidential. For use within only Slide 1 iOS and Android content protection requirements Version 0.2 Sony Pictures Entertainment Tim Wright.

Slides:



Advertisements
Similar presentations
Compliance and Robustness Rules for Windows Media DRM Implementations Microsoft Corporation.
Advertisements

1 Confidential Lessons Learned from the First Generation of Mobile Apps Sean Ginevan, Product Management MobileIron - Confidential1.
What’s new in this release? September 6, Milestone Systems Confidential Milestone’s September release 2012 XProtect ® Web Client 1 Connect instantly.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Building Mobile Apps in the Cloud – Comparing Approaches.
Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Technical Brief v1.0. Communication tools that broadcast visual content directly onto the screens of computers, using multiple channels and formats Easy.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Payment Card Industry (PCI) Data Security Standard
Security issues for mobile devices Cvetko Andreeski.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Presentation By Deepak Katta
Course 201 – Administration, Content Inspection and SSL VPN
The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
Computer Concepts 2014 Chapter 7 The Web and .
Android Introduction Based on slides made by
The digital revolutionThe cloud revolution vs Extensible multi-tenant Media Services platform on Windows Azure The best of Microsoft Media Platform Components.
@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
DRM Building Blocks - Protecting and Tracking Content Adopted from Chapter 5, Digital Rights Management Business and Technology.
4K. Contents Context Online required? UltraViolet connection.
1 Tradedoubler & Mobile Mobile web & app tracking technical overview.
1 Thomas Lippert Senior Product Manager - Mobile What’s new in SMC 5.0.
BDA UHD Format Study (SPE internal update)
Types of Electronic Infection
Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation.
Building Security into Your System Bill Major Gregory Ponto.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Android Security Auditing Slides and projects at samsclass.info.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Sony Pictures Confidential Watermarking in AACS. Sony Pictures Confidential SPE Forensic Watermarking Goals Goals: – Identify the device that was compromised.
Securely Synchronize and Share Enterprise Files across Desktops, Web, and Mobile with EasiShare on the Powerful Microsoft Azure Cloud Platform MICROSOFT.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
Slide 1 SONY PICTURES ENTERTAINMENT CONFIDENTIAL Security requirements for early window consumer services Spencer Stephens and Tim Wright Version 0.1 SONY.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Wireless and Mobile Security
F1 BOX/SECURITY/SERVER SYSTEM SPTECH FEEDBACK(DRAFT2) 12012/9/21Sony/SPTech Confidential.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Security Considerations
MDB Motorola Internal Use Only 1 21-August-2006 DM/FOTA Component Overview Elliot Stewart.
© 2012 IBM Corporation IBM Worklight Overview Martin Triska – IBM Worklight specialist (420) July 2012.
Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.
INTRODUCING HYBRID APP KAU with MICT PARK IT COMPANIES Supported by KOICA
Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.
DreamFactory for Microsoft Azure Is an Open Source REST API Platform That Enables Mobilization of Data in Minutes across Frameworks and Storage Methods.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Technology to Protect Crown Jewels. Purpose This pack draws out extreme examples for protecting the Crown Jewels. The purpose of examining these extremes.
IT Security Awareness Day October 19, 2016
Mobile Security for QlikView
“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors.
Web Applications Security Cryptography 1
Mobile Security for QlikView
SPE Expectations Leverage existing delivery technologies
Topic 1: Data, information, knowledge and processing
Content protection for 4k
Running on the Powerful Microsoft Azure Platform,
Data Security for Microsoft Azure
Presentation transcript:

Confidential. For use within only Slide 1 iOS and Android content protection requirements Version 0.2 Sony Pictures Entertainment Tim Wright

Confidential. For use within only Slide 2 iOS guidelines (1) - applications Use of resident iPad http live streaming player via Safari browser is not ideal because: –No compliance and robustness rules governing implementation security and compliance –No legal framework governing implementers –Complete dependence on Apple for updates to security SPE therefore recommend (but do not mandate) security for iOS devices to be provided by applications implementing a recognised DRM –The resident http live streaming (HLS) player on the iPad can still be used, via secure conversion from the application/DRM to the HLS client on the device

Confidential. For use within only Slide 3 iOS guidelines (2) - applications Applications (if used) should have functionality to detect if –device has been jailbroken –debug tools are installed on the device –other known iPad compromises have been effected Applications (if used) should shut down if any of these compromises are detected

Confidential. For use within only Slide 4 iOS guidelines (3) – use of http live streaming to Safari browser Use of an app requires 30% charge to Apple, so use of http live streaming (HLS) via Safari browser on iOS devices is acceptable All relevant iOS requirements must be met –Key requirements are (but see full list later) Unique https (SSL) URLs for m3u8 file delivery Unique https (SSL) URLs for content encryption key file delivery Content must be encrypted Content must be streamed only with no caching

Confidential. For use within only Slide 5 Android guidelines (1) For Android 2.3 and later, SPE strongly recommend that the DRM be provided using the resident Widevine DRM APIs and not via any other DRM –If Widevine is not used, the application providing the DRM should have in-built countermeasures and security to give the same level of protection as is provided by the resident Widevine DRM –For example, non-Widevine DRM applications should have functionality to detect if debug tools are installed on the device the device has been “rooted” (compromised so that they attacker has Linux root privileges on the device) other known compromises have been effected

Confidential. For use within only Slide 6 Android guidelines (2) If the resident http live streaming (HLS) client is used (resident for Android 3.0), for performance reasons, then Widevine should be used to secure this, and not just rely on HLS security Cryptographic operations, keys within the app, and other sensitive functions and data within the app should be implemented within Android native code (C code) and not in Android Dalvik Java bytecode (which can be easily reverse engineered)

Confidential. For use within only Slide 7 General app security guidelines (both iOS and Android) App provider must be committed to monitoring for attacks on their app and to update the app if required SPE requirements in Content Protection Schedule must be met Software obfuscation must be used to conceal keys and functions within the app Apple App Store and Android Marketplace require the app posted there to be identical for all downloads –No device unique keys can therefore be in the app initially downloaded –The downloaded app must therefore contain an obfuscated key (global) which is used to authenticate the app by content service providers –App should then be individualised with unique keys bound to the device itself before protected content is delivered

Confidential. For use within only Slide 8 http live streaming requirements (1) 1.The URL from which the m3u8 manifest file is requested shall be unique to each requesting client. 2.The m3u8 manifest file shall only be delivered to requesting clients/applications that have been authenticated in some way as being an authorized client/application. 3.The streams shall be encrypted using AES-128 encryption (that is, the METHOD for EXT-X-KEY shall be ‘AES-128’). 4.The content encryption key shall be delivered via SSL (i.e. the URI for EXT-X-KEY, the URL used to request the content encryption key, shall be a https URL). 5.The SSL connection used to obtain the content encryption key shall use both server and client authentication. The client key must be stored securely within the application using obfuscation or a similar method of protection. It is acceptable for the client key used for SSL client authentication to be the same for all instances of the application. 6.Output of the stream from the receiving device shall not be permitted unless this is explicitly allowed elsewhere in the schedule. No APIs that permit stream output shall be used in the application.

Confidential. For use within only Slide 9 http live streaming requirements (2) 7.The client shall NOT cache streamed media for later replay (i.e. EXT-X- ALLOW-CACHE shall be set to ‘NO’). 8.iOS and Android 3.0 applications implementing http live streaming shall use APIs within Safari, Quicktime or Android (as applicable) for display of content to the greatest possible extent. That is, applications shall NOT contain implementations of http live streaming, decryption, de-compression etc but shall use the provisioned iOS/Android APIs to perform these functions. 9.iOS and Android 3.0 applications using http live streaming shall follow all relevant Apple or Android developer best practices and shall by this method or otherwise ensure the applications are as secure and robust as possible. 10.Licensee shall migrate from use of http live streaming (implementations of which are not governed by any compliance and robustness rules nor any legal framework ensuring implementations meet these rules) to use of an industry accepted DRM or secure streaming method which is governed by compliance and robustness rules and an associated legal framework, within a mutually agreed timeframe. The provisioned http live streaming client may be used for performance reasons but delivery of content to the client shall be protected with the industry accepted DRM or secure streaming method