Breaking into Encryption with Hybrid Apps

Published Aug 10, 2017
Breaking into Encryption with Hybrid Apps

With increasing number of security breaches and more number of app based startups, encryption has become the need of the hour to protect your data. It becomes even more important when you are serving self-made media on the apps like images, audios and videos. I was recently challenged by one such requirement to run fully encrypted video, online and offline, in Hybrid mobile apps. The journey to video encryption resulted in a lot of learnings.

In easier words, encryption is just scrambling data so it is unreadable by unintended parties, using a rule which only you know. Using this rule, you can interpret the unreadable data back in a readable format and use in your application. For example, this is what a normal chat message looks like

“Hey, how are you”

which, when encrypted with your passcode, becomes this

wUwDPglyJu9LOnkBAf4vxSpQgQZltcz7LWwEquhdm5kSQIkQlZtfxtSTsmaw
q6gVH8SimlC3W6TDOhhL2FdgvdIC7sDv7G1Z7pCNzFLp0lgB9ACm8r5RZOBi
N5ske9cBVjlVfgmQ9VpFzSwzLLODhCU7/2THg2iDrW3NGQZfz3SSWviwCe7G
mNIvp5jEkGPCGcla4Fgdp/xuyewPk6NDlBewftLtHJVf
=PAb3

It’s close to impossible to decrypt this message without knowing the passcode.

There are lot of algorithms available to encrypt data like AES, RSA etc., essentially different ways to scramble data and decrypt it with the passcode. These days it is very common to encrypt chat messages in apps like WhatsApp, Messenger etc. This is done so that no one can read your personal chat messages, not even the app’s developers. Encryption had recently put Apple one-on-one against FBI, when FBI wanted Apple to decrypt the data on a criminals’s phone, while Apple refused to do that outright.

While data and chat messages are easy to encrypt, it’s a whole different story when it comes to encrypt videos. Videos are ‘Heavy’, and if you apply the same text-encryption techniques to videos, they need high computational power and memory to run. Desktop devices can run these, while modern day smart phones can struggle with these.

“This is because reading video in text format results in several lakhs words just for a 1MB video.“

So, complete video encryption does not make sense. But that’s not all. The next challenge was to do all this for Hybrid HTML5 mobile apps. These apps run on the in-built web-view of Android and iOS. So essentially it has similar capabilities as a browser. Browsers, while they’re powerful in compiling web content, are not designed to carry out encryption/decryption of huge amount of data. Native apps, which use Java and Objective C, can run multi-threads to distribute computational power, but HTML5 apps can’t.

The solution is to use Encrypted Media Extensions available for HTML5 video players, along with DASH - Dynamic Adaptive Streaming over HTTP, and DRM. DASH, breaks down media into chunks and provide a playlist file to reference them all, without actually revealing the URL of the video. DASH also breaks the video in different bitrates to provide smoother streaming over a variable internet speed, that’s what Youtube does when your internet suddenly slows down, it brings you to 128P. DRM, Digital rights management, gives you to ability to put a license check before video playback, essentially what Netflix does. It checks if you have a valid account, and only then allows you to watch the streaming. All this is very easy and good documentation is available. I used Google Shaka Player to play DASH encrypted streaming in the app, it runs beautifully.
shaka-player-logo.png
But things get tricky when it comes to offline encrypted playback ! It is essential for apps because anyone can steal your copyright videos downloaded on phone, and they won’t subscribe to the services again. Now, almost all DRM services provide what is called a persistent license, which allows you to play offline encrypted media (That’s what Youtube uses for your offline playback). BUT, Shaka player does not support persistent license on Chrome or Safari as of now ( in future it will, it won’t, internet has different views). Bummer !!

Tada ! DASH Clear Key encryption comes to the rescue. It is essentially a password encryption system, which avoids a licensing server, and reduces cost as well. You provide the password when encrypting the video, and same when decrypting and playing on HTML5 app. Once you go offline, you’ll have your password to decrypt files on the go. Interestingly enough, DASH clear key encryption only plays ‘http://‘ files, of course, because it is made for ‘http’ streaming (the ‘H’ in DASH). But, files stored in phone are accessed via ‘file://' protocol, so a strict NO from the browser.

The only option remaining is to run a server in the app. What ? A server in an app run in a browser ? Yes, it is possible. It is done in game apps, as they load resources as the game progresses. That is why games are heavier in download size, but often don’t require internet to play. We created a server inside the app itself, loaded all the files on that server and Voila ! - Shaka started playing encrypted videos offline !!

This opens up new frontiers to video encryption in HTML5 Hybrid apps and offline playback. Hybrid apps are not that far behind Native after all !

Discover and read more posts from Abhishek Rathore
get started