Streaming app security: why you should protect code as well as content
The post Streaming app security: why you should protect code as well as content appeared first on Intertrust Technologies.
- The growing demand for streaming apps brings opportunities but also broadens the attack surface for service providers.
- The vast majority of streaming apps lack basic security protections.
- Risks for OTT service providers include revenue loss, brand damage, and compliance violations
- Robust streaming app security requires a broad-based set of application protection measures, including advanced obfuscation, anti-tampering, and white-box cryptography.
The improvements in device and broadband speeds over the past decade helped fuel a surge in demand for high-quality entertainment content. Seizing the opportunity, new and established online streaming services steadily ate into traditional pay TV operators’ domination of the entertainment landscape by offering greater flexibility in terms of pricing, how viewers can access content, and, most importantly, what they can watch.
That was before 2020 and the COVID-19 pandemic hit. With worldwide stay-at-home orders in effect, over-the-top (OTT) streaming services catapulted years ahead in terms of market adoption. Global subscriptions to online video streaming services reached 1.1 billion in 2020, up 26% from the previous year. New platforms launched within the last year alone include Disney+, Peacock, HBO Max, Paramount+, and more.
Threats to streaming app security
The rise in streaming use has presented cybercriminals with new avenues to launch attacks. A recent survey of 1000 streaming users found that more than one in ten respondents have had their streaming accounts hacked. Attacks on streaming services take various forms, from phishing emails asking service subscribers to update their login credentials or payment information, to phony app updates, to attacks on the streaming applications themselves.
Attackers target OTT applications to dig out sensitive data, tamper with code, find vulnerabilities they can exploit, and uncover ways to circumvent streaming app security and authentication restrictions. They also reverse engineer app code to develop their own fraudulent app versions. Recently, a fake, malicious Netflix app gained acceptance into the Google Play app store and proceeded to steal credit card information and credentials from close to 500 victims before it was discovered.
Robust DRM technologies protect streaming content but they don’t protect the applications that deliver content. Yet, despite the risks, most OTT apps incorporate no or minimal application level security. A recent study found that 93% of tested OTT apps lacked basic protections such as code obfuscation and environmental checks.
OTT application security risks
The varying components that make an OTT app function all open up their own security risks. The application code, third-party libraries, integrations, can each contain vulnerabilities. Certainly the operating system of the device it runs on contains security flaws. In the first quarter of 2021 alone, Google patched 121 critical and high severity vulnerabilities in its Android operating system while Apple fixed 54 security issues in iOS.
Any vulnerability opens a potential avenue for attackers to exploit. When you consider the multiple devices—web browsers, smart TVs, mobile devices, and streaming players—and operating systems where an OTT application runs, the attack surface can be huge.
Jailbroken and rooted devices pose another risk to OTT application security as this disables OS-level protections. It’s up to app developers to build in security mechanisms that shrink the attackable surface and protect the application from hacking attempts.
Risks from insecure streaming apps include:
- Reverse engineering an app to discover how it authenticates itself with the back-end streaming platform
- Reverse engineering an app to find unencrypted login details, encryption keys, payment details, and other sensitive or personal data
- Lifting and duplicating application code to create fake or cloned apps
- Tampering with applications to insert phishing overlays on an app’s login screen or inject other malicious code
- Reverse engineering to discover leftover info files, backdoors, forgotten API endpoints, and other flaws in the app’s security that attackers can exploit
Why streaming app security matters for OTT service providers
While DRM technology protects content, it does not secure the other valuable information and assets in a streaming app. Streaming apps hold payment details, personal data, and proprietary technology that make lucrative targets for cybercriminals.
Insufficient streaming app security can directly impact revenue for OTT providers. Hackers may bypass authentication protocols to access premium services for free, interfere with ad revenue streams, or publish cloned apps that lure away customers.
Less tangible consequences can cause even more havoc. Hijacked apps that contain malicious code damage brand reputation. Attackers can use vulnerabilities in apps to gain access to your internal servers and networks, eventually spreading throughout organizational systems.
Content security compliance
Content owners issue security mandates, or a “robustness framework,” that content distributors must follow. This is where DRM technologies come in. However, as attacks on streaming apps increase and content piracy continues to plague the industry, we expect these general streaming app security requirements to tighten. Increasingly, broader app security measures such as code obfuscation and environmental checks are being used to complement DRM technology. Streaming services that do not incorporate broad-based application protection measures risk losing access to new content.
Data privacy and security
Streaming apps often store personal data that requires protection under GDPR, CCPA and other data privacy regulations. Breaches can trigger hefty fines, public disclosures, and further penalties. Apps that process payments, such as many sports streaming apps, also need to comply with financial transaction security requirements set by PCI-DSS, PSD2, and other regulatory bodies. These often dictate the use of specialized code obfuscation, runtime checks, cryptographic key protections, and other financial data protection measures.
How to protect your OTT streaming app
The results of the analysis referenced above indicate that the DevSecOps bandwagon hasn’t yet hit streaming apps. Overall software security is getting sidelined as development teams focus mainly on DRM, while security teams worry more about system and network security. But there’s a way to incorporate application protection without disrupting the app build cycle.
In-app protection, also termed application shielding, builds protections into the app code that make it resistant to hacking attempts. It mitigates security gaps in the application itself, helping streaming services protect content end-to-end. Comprehensive in-app protection technologies prevent threats to streaming app security, such as:
- Reverse engineering
- Code tampering
- Malware injection
- Encryption key extraction
- Side-channel attacks
- Data theft
End-to-end security with Intertrust
Intertrust’s industry-leading whiteCryption in-app protection takes a multipronged approach to defend streaming applications from attacks. It’s the same technology securing the code of some of the biggest content protection schemes, such as Google Widevine. These defense strategies include:
- Powerful code obfuscation to stop reverse engineering and protect sensitive information
- Rooting/jailbreaking detection, anti-debugging mechanisms, and other protections to prevent static and dynamic analysis
- The industry-leading white-box cryptography to keep encryption keys safe from side-channel attacks and other exfiltration attempts
- Integrity checkers to detect attempted code manipulation
- Runtime application self-protection (RASP), which executes real-time defense actions in response to detected threats
whiteCryption secures streaming applications across platforms and devices, including mobile devices, PCs, and Smart TVs.
The holistic protection solutions offered by Intertrust allow streaming services to meet requirements set by content creators and regulators, giving them access to international markets and the high-quality content that their subscribers demand. To find out more about how whiteCryption helps streaming providers around the world, get in touch with us today.
*** This is a Security Bloggers Network syndicated blog from Intertrust Technologies - Security Blogs authored by Ali Hodjat. Read the original post at: https://www.intertrust.com/blog/streaming-app-security-protect-code-and-content/
