Defending an Android implementation of a secure media path also requires a unique set of methods. This whitepaper provides a high-level overview of Android security risks for the content protection and mitigations required to increase its robustness against common attacks.
Multiple ways to repurpose the device
The Android platform gives the user a variety of options to interface with the device. Even though this gives the user more freedom, it also gives the user the ability to repurpose the device. Additionally, it widens the attack surface immensely compared to traditional STBs. Since Android is open source, everything an attacker needs to know can be found online. Additionally, Android is supported by a vast community with extensive knowledge of the platform. Before running the Android OS, a secure boot implementation has to be in place that authenticates each boot stage up to and including the Android OS.
Any vulnerability in one of these boot stages can compromise all the following steps. The secure boot must be developed with security in mind and needs to implement secure coding practices to prevent logical errors. It should also include mechanisms to defend against fault injection and side channel analysis if those mechanisms are not sufficiently provided by the hardware. Android provides a feature called dm-verity to support the secure boot process. However, there are tools available to bypass the secure boot of the Android OS and the following stages, e.g., TWRP. At Riscure, we are helping our customers to mitigate this risk by ensuring a desired level of security during the earlier boot stages.
Content protection in Android: security foundations
Securing the premium content on an open platform is a challenge that can only be overcome with layered defenses in hardware and software. This can be done through multiple-level security evaluation, for example, using white-box and black-box assessments. Additional advice for premium content application developers can be found in the full whitepaper. Register to access it for free via the form below.