AOSP Insider
Advanced AOSP Subsystems
4 min read

DRM (Digital Rights Management)

Overview

Digital Rights Management (DRM) in Android is the critical infrastructure that allows streaming services (like Netflix, Hulu, or Disney+) to deliver premium, copyrighted video to devices securely. The Android DRM framework ensures that decrypted video frames are never accessible to the user, the operating system, or any third-party app.

The DRM Framework in Android

Android's DRM architecture is designed to be plugin-based. The core Android OS does not implement the cryptographic logic; instead, it provides the MediaDrm API, which routes requests to vendor-specific DRM plugins (like Google Widevine, Microsoft PlayReady, or ClearKey for testing).

The architecture consists of three layers:

  1. Application Layer: Java apps use MediaDrm and MediaCrypto.
  2. Framework Layer: The native mediadrmserver process manages active sessions and routes calls to the appropriate HAL.
  3. HAL / Secure World: The actual cryptography and key management occur in the Trusted Execution Environment (TEE) or a Secure Element (SE), entirely isolated from the main Android OS.

Widevine DRM Levels: L1, L2, L3

Google Widevine is the default and most widely used DRM solution on Android. It defines three security levels:

Widevine L3 (Software DRM)

  • The DRM cryptography and key extraction are performed in software within the main CPU (typically in a sandboxed process, but still within the normal OS).
  • Video decoding is done in the clear.
  • Limitation: Content providers usually restrict L3 devices to Standard Definition (SD) resolutions (480p) because the uncompressed video could theoretically be intercepted.

Widevine L2

  • Cryptography occurs in the TEE, but video processing happens in software or non-secure hardware. Rarely used in modern consumer devices.

Widevine L1 (Hardware DRM)

  • The highest level of security. All cryptography, key management, and video decoding occur entirely within the TEE and secure hardware blocks.
  • The decrypted video frames are placed into secure memory buffers. SurfaceFlinger and the Display Controller can read these buffers to push them to the screen, but the CPU cannot read the pixels.
  • Benefit: Enables High Definition (HD), 4K, and HDR playback.

The MediaDrm API

Applications interact with DRM primarily through the MediaDrm API to acquire licenses.

  1. Instantiation: The app creates a MediaDrm instance using the specific UUID of the DRM scheme (e.g., Widevine's UUID).
  2. Session Creation: openSession() creates a secure context in the HAL.
  3. Key Request: The app extracts DRM initialization data (PSSH box) from the media container using MediaExtractor and calls getKeyRequest().
  4. Network Transaction: The app sends the encrypted request payload to the content provider's license server.
  5. Provisioning: The server responds with a license (keys). The app calls provideKeyResponse() to inject the keys into the secure hardware.
// Simplified MediaDrm Key Injection
UUID widevineUuid = new UUID(0xEDEF8BA979D64ACEL, 0xA3C827DCD51D21EDL);
MediaDrm mediaDrm = new MediaDrm(widevineUuid);
byte[] sessionId = mediaDrm.openSession();

MediaDrm.KeyRequest request = mediaDrm.getKeyRequest(sessionId, initData, mimeType, MediaDrm.KEY_TYPE_STREAMING, null);
// ... Send request to remote server via HTTPS ...
byte[] response = fetchLicenseFromServer(request.getData());

mediaDrm.provideKeyResponse(sessionId, response);

DRM HAL and the Secure Video Pipeline

Once keys are injected, the actual decryption happens during playback.

  1. MediaCrypto: The app creates a MediaCrypto object linked to the MediaDrm session and passes it to MediaCodec during configuration.
  2. Secure Buffers: MediaExtractor reads encrypted NAL units. These are queued into MediaCodec.
  3. OEMCrypto / TEE: The Codec2 component passes the encrypted buffer handle to the TEE. The TEE uses the previously injected keys to decrypt the video frame directly into a Secure GraphicBuffer.
  4. Composition: SurfaceFlinger composites the UI (playback controls) around the secure buffer. If the user attempts to take a screenshot or screen record, the secure buffer is hardware-blacked-out.

To check the supported DRM plugins and Widevine level on a device, you can use:

adb shell dumpsys media.drm
Previous Lesson
Stagefright
Next Lesson
Camera2 API