Today we have a working solution to protect content in android mobiles for audio, video and files. The solution is embedded in our mobile app present in Google Play. The solution is going through multiple rounds of testing. Credit for the work goes to Balaji kutty.
Though we started building applications in early 2011, we had serious questions raised about the need to protect the content provided by educational content providers to us. We implemented a solution for J2ME phones and the solution has its own limitations for large media files. We had a way build to control the expiry the content based on date on the mobile. When we were planning to move to android in end of 2011, we assumed that life would be cool with assumption android is matured system compared to j2me.
To start with content protection, we did not have good news. Android devices can be rooted by the users and there is no way for application to detect whether a device is rooted or not. Neither one could modify the hardware or the user’s system. Google play was only helping in license protection for the application and did not offer much help for application content.
The first hand thought was to encrypt the content and try to decrypt the content by the application. This worked for text files, xml and images, but we has a question where to store the private key safely? Then came playing media files. We found that there was no direct approach to pass a local video stream to the player. The player supported methods to work with HTTP stream and played, but the player did not have methods to read local file streams also. Any solution should cover the following
1. Bind content to the phone.
2. Bind Content to an application
3. Control the validity/expiry of the content.
Thanks for the initial thought to the solution at stack-overflow link. Using this solution, we made the player to play local files over HTTP stream. The player received decrypted HTTP stream of protected local media, which it plays beautifully. This helps to make sure that the content was blinded to the application.
To bind the content to the phone, we decided to ask the user to activate their content subscription on the first start of the application by sending the same credentials(login name , password) used during purchase of the subscription. we used this to make sure that the content was blinded to the phone.
there is still a challenge that the user can still activate the content from his tablet and also from his phone using the same credentials. We strongly believe that the user has right on the content on his devices. IT is also possible to implement checks to ensure that activation happens once for a specific user, which brings additional issues like replacement of user’s device due to loss or device upgrade.