Protecting Your Content using Google Widevine

This topic covers how to protect your videos in apps with the Video Cloud Digital Rights Management feature (DRM), using Google Widevine.

Widevine is available in two varieties:

Widevine Classic: The older form of Widevine that works for special .wvm video archives. This the form you should use for iOS and Android apps.
Widevine Modular: The newer form of Widevine works for videos in MPEG-DASH format. It is recommended for playback in broswers for the Brightcove Player.

Creating Widevine DRM packages

DRM packages are created during the video ingestion process. Packages are specified in custom ingest profiles. For information on creating Widevine packages (Modular and Classic), see Content Security (DRM and HLSe).

Videos for iOS/Andriod apps - Widevine Classic

Video Cloud DRM offers the option of using Google Widevine to secure your content at its origin. This means that Video Cloud manages the packaging of each individual video as a protected asset along with its metadata.

How you should specify packages for Widevine Classic depends on the nature of the content:

Single file

Best when all of the content has the same display resolution, frame rate, and encoding profile. For example, a smart TV manufacturer who is delivering content to televisions. When multiple renditions with different resolutions are present in the same package, playback is fine until certain Android devices attempt to switch to a different rendition. We have seen cases where the display becomes garbled and the application crashes.

Set of files

Best when the content has different display resolution, frame rates, and encoding profiles. For example, when delivering content to Android devices.

For example, let's say a publisher's transcoding options contain 6 renditions, 2 with a resolution of 400x300, 3 with 780x400, and one with a resolution of 1280x700. The account is configured to use Widevine. After the upload, the publisher would have 3 .wvm files in that title. One .wvm containing the 2 400x300 renditions, one containing the three 780x400 renditions, and one containing the single 1280x700 rendition. This is the default behavior for Widevine upload, however, there is an account setting which, when enabled, will cause all renditions, regardless of resolution, to be packaged into one .wvm file.

Note: Widevine renditions cannot be previewed or played inside Video Cloud Studio.

Widevine will only use the MP4 renditions and ignore the HLS renditions. Note that the Widevine client is responsible for handling the rendition switching.

Note that a frame rate of 10 fps is recommended for video streams under 200 kbps. For video streams under 300 kbps, a frame rate of 12 to 15 fps is recommended. For all other streams, a frame rate of 29.97 is recommended. See this Apple document for more details.

Even when streaming to iOS devices, there will be no need to create HLS renditions. Widevine will deliver one of the MP4 renditions to the iOS device making it appear as though it is an HLS rendition. As part of the packaging process, our packagers request an encryption key from Google to secure the Widevine file. Once the content is packaged, it is uploaded to the CDN where it will sit in an encrypted format.

Note: On earlier versions of Android (earlier than 3.2), the renditions are packaged separately and rendition switching is not supported.

When the client tries to view a video that has been encrypted using Widevine, the Widevine client, which is part of the player, will make a call out to a license proxy server which will determine if it can get a license for the piece of content. The license is delivered from the license server (which is controlled by Google) in a secure fashion down to the client which uses it to decrypt the video.

Signing up for DRM

This feature requires an additional fee. Video Cloud offers other options for protecting your content across devices. See Content Protection and Digital Rights Management for more information. Contact your Account Manager about bundling DRM protection so that you can secure your content wherever it plays.

What happens after Widevine DRM implementation

After Widevine DRM implementation, Brightcove handles all licensing and packaging of your video assets, each with a unique encryption key. The first time a DRM-packaged video plays, the Video Cloud player silently takes a few seconds to download the required decryption key for that video.

Video Cloud packages and encrypts all renditions of newly uploaded videos as the first priority. Any videos uploaded before Widevine DRM implementation will continue to be available for play in an unencrypted state until the DRM process encrypts it.

Limitations when using Google Widevine

Brightcove recommends using Google Widevine to secure content in mobile apps and connected TVs only. For securing content on desktop or laptop computers, Brightcove recommends that you use Adobe Primetime — Widevine may work on desktop and laptop computers but Brightcove has not tested this and does not support it. If you use Google Widevine to secure content for for desktop computers, viewers will be prompted to download and install an extra plug-in for the Flash player.

There is a known Widevine bug that may result in truncation of the video at the end (up to 2.5 seconds, according to Google). The work around is to add 2.5 seconds of blank screen or some other content to the end of the video.

Technical FAQ

How do you block all video outputs from iOS devices including Airplay and Mirroring?

The Widevine client software is responsible for enforcement of policies.

What is the Widevine application architecture in the device? Is it a single application, two separate applications, one being the native video player to the device and one you have to implement yourself?

For iOS, Widevine provides a player component capable of playing back Widevine encrypted packages. This component is delivered as a software library, which is compiled into a native application by the developer.
In the Android case, the Widevine client software is a part of Android distributions later than 3.0. For Android 2.x, Widevine provides software libraries that can be complied into player applications.
In both cases, license requests, and key retrieval, decryption, and disposition are performed within Widevine's trusted code.

What is the key handling sequence in the device?

A key request is initiated with the Widevine client software, and made through the device's native HTTP libraries. This request is sent via SSL to Brightcove's license proxy servers, where we sign it and forward it to Widevine's license servers. This provides Brightcove a mechanism to inject additional policy requirements, and to verify that playback is appropriate in the context of Brightcove's business rules. Widevine returns an encrypted license response (presumably with a device-specific key), which Brightcove passes, unmodified, and still via SSL, back to the requesting device. The key is decrypted and disposed in the context of Widevine's client software.