For video platforms aiming to control distribution and prevent piracy, building a dedicated desktop app may sound like a strong move. But when it comes to real-world implementation, this approach is riddled with trade-offs.
The following article applies to Windows and Mac desktop. For mobile, we recommend building apps. Mobile apps can provide overall higher security by leveraging OS-provided hardware DRM when available unlike Desktop apps.
So, let’s start by looking into the technical limitations and security pitfalls of desktop video playback, and explains why HTML5-based DRM, when correctly configured, offers a far more robust and future-proof solution.
DRM is designed for web security
Modern DRM technology has been specifically designed around the HTML5 EME specification and works optimally in web environments. With proper DRM implementation, viewers can only watch videos within your website and cannot share them with others. The system is already constructed with the understanding that someone having access to the video URL cannot use it to obtain a playable video file directly. There is no risk to the viewers being able to see the URL of the mp4 because it is encrypted. It can only be played when licensed by your website. Even building a desktop software for DRM requires extracting the CDM module from the latest Google Chrome and utilizing a web-based framework such as Electron.
Desktop software creates security vulnerabilities
Building custom desktop software actually reduces security by pinning the Content Decryption Module (CDM) to a specific version. Unlike Google Chrome, which receives rapid updates whenever new security issues emerge, custom software makes it difficult to update until a newer CDM version becomes generally available. This can take significant time during which piracy can occur. This limitation means pirates can potentially exploit outdated security measures to download videos through the software.
Lower protection of media decryption pipeline
Custom software also suffers from having lower protection media decryption steps. It means that it is more vulnerable to security exploits that extract the decrypted video internally. Solving this requires notarization from Google as a browser. This is why we have a small set of only the popular browsers which are able to play your videos through our DRM. Custom software is unable to use latest CDM or work with OS-provided hardware security modules. This renders the desktop approach less effective than web-based DRM protection.
Screen capture prevention is ineffective
Making video URLs hidden in desktop applications does little to prevent determined pirates from recording the screen. One might think that desktop software can help prevent screen capture. The plan usually is to block playback if one of the known screen recording software is running. However, there are still easier methods such as HDMI capture which uses a very affordable capture card to output the screen as a webcam and record the screen easily.
Understanding the threat-model and getting to solution
It is a mistake to underestimate the technical capability of the pirates. Pirates can easily use dynamic instrumentation tools to tamper with the application runtime. They can intercept network requests or extract in-memory data. They can use HDMI capture cards to record the screen. There can be limitations to DRM due to the state of technology. We try to be transparent in recognising these limitations and emerging exploits. Then, we can address them by building the most comprehensive security augmentation available on top of DRM.
Our approach to security
That is why we believe in building security based on specific threat-models. We can discuss your requirements and suggest the right security configuration needed for preventing video downloads. We leverage our experience of preventing piracy over many years to create specific threat-models. It has helped us to curate a vast set of tampering-detection and tracing capabilities. This piracy-identification feature shows you attempts at piracy and allows you to timely block accounts that might be trying to pirate the videos.
Supercharge Your Business with Videos
At VdoCipher we maintain the strongest content protection for videos. We also deliver the best viewer experience with brand friendly customisations. We'd love to hear from you, and help boost your video streaming business.
(Co-Founder & CTO) Brain behind all VdoCipher innovations, Vibhav eats and sleeps code. A physics and astronomy enthusiast; Vibhav actively works on video delivery technology, security and high volume data transfer using cloud.