HLS delivery to IOS/Android native player

Hi there,

I have been really struggling with the security measurement for our wowza server. I have been researching for 2 weeks now but have not found a sound solution so any help/direction would be much appreciated.

My situation is as follow:

My company host a huge number of video on S3 and we decided to user cloudfront RTMP to delivery the content to Desktop (which is working fine and secured properly).

We want to use wowza server to serve content to mobile device HLS to IOS device and modern Android devices with RTSP fallback.

We have been successfully to serve HLS to IOS device with vods3 and the content is displayed using the device native player.

The problem is that we want to secure the connection so that user cannot guess the URL and then access it without any credential. Since we want to use the native player, we cannot use the DRM technique to setup a secret key and store/send it to the player.

My question is whether wowza support a technique (similar to signed-url in Cloudfront) so that the URL must be generated using a secret key on our server and have a time-expired?

Best regards,

Quang

This is from the Cloudfront FAQ found here:

“At this time, live streams can’t be delivered securely by using CloudFront-signed URLs because of the nature by which player applications generate URL requests for the live stream data. However, progressively downloaded media can be delivered privately by using signed URLs. For more information, see Serving Private Content through Cloudfront.

Salvadore

There is no time based token, but you can make one. A forum user has created a similar module here:

Custom stream authorization and expiration module

Also, take a look at the Security Overview for more information

Salvadore

This is from the Cloudfront FAQ found here:

“At this time, live streams can’t be delivered securely by using CloudFront-signed URLs because of the nature by which player applications generate URL requests for the live stream data. However, progressively downloaded media can be delivered privately by using signed URLs. For more information, see Serving Private Content through Cloudfront.

Salvadore

Hi Salvadore,

Thank you for your reply. I have read the thread you mentioned above. However, it does not cover my issue.

I decided to use Cloudfront only for RTMP and Wowza for HLS and RTSP fallback.

My issue is that there is a rule for file name (xxxx.mp4) so that everyone who know how wowza work can construct the URL to get access to the video :

http://[wowza-AWS-ip-address/vods3/definst/mp4:amazons3/[folder-name]/[folder-name]/xxxx.mp4/playlist.m3u8"

My question is whether I can create a time-base and a shared secret as a token so that URL must be constructed by our server to get access to the HLS stream

http://[wowza-AWS-ip-address/vods3/definst/mp4:amazons3/[folder-name]/[folder-name]/xxxx.mp4/playlist.m3u8&EXP-Time&secret_key

We don’t provide live stream only video on demand.

Best regards,

Quang