Recently, I’ve been asked a few times about DRM-protected content. Please note that this blog post does not take legality of breaking DRM-protection into account, it simply explains what DRM protection is and why Downie does not and will not support DRM-protected content.
DRM protection is a fairly vague term that only describes that the content is somehow protected. It’s like saying that you can drive “a vehicle” – is it a bike? car? truck? Generally speaking, DRM-protection brings encryption into the mix – it encrypts the data so that they can’t be used by software that’s not developed by the company that creates the protection.
For example, iTunes (Apple) used to encrypt audio files back in the day, resulting in awkward situations when you wanted to play the song on a non-Apple device and you couldn’t. The same Apple does with videos. They use some kind of encryption to protect the content and it can then only be played in iTunes, QuickTime Player (or iOS/AppleTV device, but again, just in the official Apple apps).
And in a very similar manner, various other online content providers that offer apps for downloading content to later watch offline, they also encrypt the content so that it can only be viewed in their apps – the data can’t be played in other players. But the DRM protection is different from Apple’s. Everyone has their own. This is also why you can’t really have an app claiming that it can decrypt any DRM-protected content. Yes, there are apps for that – but they require the content to come from a supported source and they usually support the source by dynamically loading parts of the player apps (e.g. iTunes) and using their code to decrypt the data.
What does this have to do with Downie? A lot. Online content is often also protected, mainly paid content (Netflix, Hulu, Channel 4, NPO, …). And how exactly? The companies nowadays use an industry strandard called SAMPLE-AES encryption. This generally means that the entire file is not encrypted, but just certain parts – it’s less encryption, while it still makes the file unplayable without the correct decryption key. So how does your browser get the decryption key? Can’t Downie get it and use it?
The keys get transfered via secure channels through Apple’s (or Adobe’s, Microsoft’s, …) servers. It is designed to be secure, requires server support and communication between the company’s server and the key delivery system. The keys also may change over time, get shifted, etc. This generally makes it impossible for Downie to support this and to my knowledge this encryption has not been broken yet.
I’ve been asked previously to allow Downie to just download the encrypted content and let the user play with it. But it unfortunately makes no sense – if you don’t have the key, by the time the download finishes, the key may be already different (even if you’re able to retrieve it), it can be different for each part of the file. If you do not have it, brute-forcing (trying every key combination) would take months if not years on any computer.
If you are more tech savvy and want to learn more on the topic, here are some links:
- basic overview of HLS encryption: https://bitmovin.com/docs/encoding/faqs/what-is-hls-aes-encryption
- nice overview of the entire issue including a diagram: https://www.encoding.com/apple-fairplay/
- Apple’s implementation: https://developer.apple.com/streaming/fps/
- Adobe’s implementation: https://helpx.adobe.com/adobe-media-server/dev/configuring-content-protection-hls.html
- Microsoft’s implementation: https://docs.microsoft.com/en-us/azure/media-services/previous/media-services-protect-hls-with-fairplay
