Join Now

Software architect working in Symbian/S60 area since 2000 and still being enthusiastic about mobility. Please visit my introduction page on Forum Nokia Champions web page.

Let's use DRM!

tote_b5 | 03 August, 2006 14:59

I've seen *lots* of questions on various S60 forums, where developers were asking for advices on how to implement THE ideal security technique that protects their application from cracking, stealing and in general: using without the permission of the author.
I'm not sure if they're aware of that they're not alone with their problem and in fact Nokia (and Symbian, of course) has already made a framework for them that's sitting on *every* S60 phone and just waiting for being used.

This framework is called DRM and it's a short for Digital Rights Management. You might have heard about it lately, as there's a quite hot topic, namely the "war" between Apple and France. So, without dwelving into techniqual details regarding the capabilities of aforementioned framework, let me point out its two most important features:
- forward-lock: it does NOT allow to send a DRM-protected content from one phone to another (i.e. forward).
- preventing the user from consuming the content (listening to music, watching video, playing a game, etc.) more than she's paid for. It's possible to set up this limit specifying how many times or for how long can the content be used without having to pay again.
Note that there is an exception for forward-lock, called Super Distribution, where the content *can* be forwarded, but under complete control.

So, what does a developer have to do if she wants to DRM-protect her application? There are two things she has to tackle:
- first, she must make the application (i.e. the SIS file) DRM-protected: the freely downloadable NMIT makes that possible, for example.
- second, publish the protected content so that others can download it. An important point here is that ideally publishing happens so that asking for new permission (as user rights usually expire from time to time) by users is convenient.

And this is the point where I'm uncertain as to whether there is enough support for developers. You know, they have to
- either set up their own delivery server that takes care of content as well as rights management. I'm sure you all see that one can hardly find free tools for it.
- or make use of the DRM support service their mobile content provider provides them. If it does provide. For example, I've already seen that Handango (one of the most popular S60 content providers) provides similar support for its *partners*. I call it "DRM hosting", hope that I use this term right, and am really wondering how much it costs for average developers. I mean, I'm sure that some developers/companies can afford it, but what about "the masses"?

I'm eager to hear your opinion!

Tote

Business Opportunities/Services, S60 | Next | Comments (3) | Trackbacks (0)

Comments

Re: Let's use DRM!

antonypr | 03/08/2006, 17:08

antonypr Could you please give more detail information how to protect .sis file? From my understanding, your proposal is to protect .sis file using NMIT. Fine, we have a protected .sis file. So far so good.
Now, after the user has install the application, she has the "plain version" of the application (.app or .exe) in her memory card. Are they protected too? Can't the user just copy the .app or .exe using file browser, for example?

Re: Let's use DRM!

mgroeber9110 | 04/08/2006, 18:05

As I see it, there are two very different cases for DRM:

- Passive content, such as themes, music files etc.
- Active content, such as application (both C++ and Java)

In the first case, the entire DRM has to be handled by the software "playing" the content and which is already built into the phone - so the DRM capabilities (is it protected at all? what rights can be assigned?) depend entirely on the built-in software.

On the other hand, active content has to do this enforcement on its own, by calling APIs to check whether there is a valid license, count the number of launches etc. There are APIs for this in Series 60, but so far (at least for me) the picture is very hazy how they go together. Forward-locking the SIS file is only a very small part of it, because it falls apart when the user can also install the application using PC Suite, for example.

I for my part would be very happy to see a whitepaper from Nokia describing an end-to-end architecture for DRM protection of C++ applications in 3rd Edition. This could describe, for example, how the most common use cases (per-IMEI licensing, time/count limited trials) can be implemented by making good use of what is already there, and ideally also discuss safety against possible attacks.

Another aspect that would be very useful to talk about is the generation of the actual license keys, and their distribution to end-user's phones. As far as I can see, the Activation Keys application in the phone would provide a standard repository for keeping and managing received keys - this would be a much better user experience than each application having its own key management, and also save developers from having to re-invent a system where making a mistake may either mean giving the application away for free, or locking legitmate users out of their software...

Dealing with the key-generation aspect by using a "DRM hosting" service as you describe it may be a good idea, but that would depend on using a more or less standardized licensing scheme as well.

ciao marcus

Re: Let's use DRM!

tote_b5 | 06/08/2006, 00:19

tote_b5 Antony: to be honest, I don't know how SIS DRM protection works. I've read here (http://forum.nokia.com/main/resources/technologies/drm_and_download/index.html) that DRM protection for SIS packages has been available from 2nd Edition FP1 on, but I haven't yet tried it out myself. In any case, even if it didn't work you can always add a DRM-protected file to your package and upon application startup you can "consume" it: if it fails, then your application can fail to start.

Marcus: I agree with most of the things you wrote with the following remarks ==>
- Active protection of an application: I've just described it to Antony how an active content (e.g. an application) can utilize a passive content for DRM-protection. However, I can imagine a framework that works with applications (let them be native or Java) so that the applications themselves are protected. I mean, applications, servers, Java binaries. I'm not sure if that support is already available, I suspect it is not, but I'm not sure.
- Yes, I agree with you that it's really painful that DRM implementations differ from each other, it's really us who suffer from this decision. However, the licensing scheme can be relatively straightforward for S60 in my opinion and that shouldn't prevent content providers from supporting DRM hosting for that particular platform. I mean, it would be profitable for them also, not only beneficial for the developer. It would be such a service that everybody could make use of.

Finally, I will try to find some resources on how DRM-protection works with SIS and JAR files. I'll get back to you when I found something.

Cheers,

Tote
You must login to post comments. Login
 
 
Powered by LifeType 
     
     RDF Facets:
     
     
     qfnZtopicQUqfnTopicZbusinessE5fopportunitiesE5fservicesQ
     qfnZtopicQUqfnTopicZseriesE5f60Q
     qfnZtypeQUqfnTypeZBlogContentQ
     qfnZtypeQUqfnTypeZBlogE45ntryQ
     qfnZtypeQUqfnTypeZCommunityContentQ
     qfnZtypeQUqfnTypeZWebpageQ
     qmarsZlanguageQUxhttpE3aE2fE2fswE2enokiaE2ecomE2flanguageE2d1E2fenX