Apple FairPlay DRM: Video Protection on iOS & Safari in 2024

Fairplay DRM is the trusted studio-approved DRM for secure playback in the Apple IOS app, IOS Safari, Mac Safari. In this post, we present a complete guide for implementing Apple FairPlay DRM. FairPlay DRM protects videos from download and also stops screen capture of videos. The second half of the article explains the technology behind Fairplay DRM.

The content owner/distributor has to obtain the required license from Apple to use this. As your streaming partner, we provide the encryption and licensing service to use your FairPlay keys. The complete integration setup is handled directly by VdoCipher, you only need to apply for a license and get the keys.

What is FairPlay DRM?

Fairplay is Apple’s DRM technology, which is used by Apple exclusively to stream content securely on iOS app, iOS safari, macOS safari as well as TV OS.

Fairplay streaming(FPS) securely delivers encrypted content through HTTP Live Streaming(HLS) and CBCS protocol .

Apple Fairplay DRM prevents video download as well as ensures screen recording protection.

Apple Fairplay DRM Compatibility

Fairplay DRM is compatible with the following devices:

• Mac Safari
• iOS Safari (iOS >11.2)
• iOS App. Native Apps are supported, web view apps are not supported.

Difference between default VdoCipher encryption security & Fairplay DRM Encryption – VdoCipher provides default encryption security for ios and Safari to prevent downloads. Apple Fairplay DRM is approved by studios and has an additional advantage of prevention from screen capture. VdoCipher helps our customers to apply to Apple for a Fairplay license and also then integrate it for your videos without any extra steps needed from your side.

Features of Apple FairPlay DRM

Apple FairPlay DRM (Digital Rights Management) provides a robust framework designed to secure multimedia content across Apple devices. This system includes several key features that ensure high-security standards suitable for premium content, such as early-window Hollywood movies. Here’s an overview of the fundamental features of Apple FairPlay DRM and how they enhance content security:

Hardware DRM Support

Apple devices such as macOS, iOS, watchOS, and tvOS come equipped with hardware-level security, making them highly secure environments for deploying FairPlay DRM (FPS). Unlike other DRM systems like Widevine, which can also operate on Apple devices through browsers or SDKs, FPS offers native hardware DRM support. This hardware integration is crucial for securing premium content, as it provides a higher security level that is not readily available when using solutions like Widevine CDM SDK for iOS or Chrome’s Widevine on macOS.

Apple AirPlay Compatibility

One of the standout features of FPS DRM is its native support for Apple AirPlay, the technology that enables wireless streaming of content from Apple devices to Apple TV. This seamless compatibility allows FPS content to be easily played through AirPlay without requiring additional programming. Moreover, when FPS content is streamed to an Apple TV via AirPlay, the key delivery and decryption processes occur directly on the Apple TV. This maintains the same high security level as if the content were being played directly from the source device, such as an iPhone.

Download and Offline Playback

Starting from iOS 10, Apple has enhanced the FPS capabilities to include support for downloading and offline playback. This feature is particularly beneficial for users who wish to access content without an internet connection. The relevant APIs provided by Apple’s operating system facilitate the handling of downloading HLS content along with managing offline licenses. This ensures that even when content is accessed offline, it remains protected under the stringent security measures enforced by FPS DRM.

Supported Ecosystem of Apple FairPlay Streaming

To effectively deploy Apple FairPlay Streaming (FPS), it is essential to understand the supported platforms and versions that can leverage this DRM technology. Here is a detailed table outlining the compatibility across different Apple devices and operating systems:

Platform	Supported Version and Requirements
PC	macOS 10.10 or later: Safari browser
Mobile	iOS 9.0 or later: iOS native app
	iOS 11.2 or later: iOS Safari browser
	iPadOS 13.1 or later
Watch	watchOS 7 or later
OTT	Apple TV: tvOS 10.0 or later

Support Formats for Apple FairPlay

Apple FairPlay supports a variety of streaming formats and protocols to ensure broad compatibility and high-quality streaming experiences. Below is a table that summarizes the supported formats and protocols under the FairPlay DRM:

Type	Supported Formats/Protocols
Streaming	HLS, CMAF
Video	TS, fMP4 container
Video Codec	AVC (H.264), HEVC (H.265)
Audio Codec	AAC, MP3

How To Request Apple FairPlay DRM Production License?

IMPORTANT: Below are some key steps, but it is recommended to mail us at support@vdocipher.com and we will guide you on the procedure to apply to Apple for the license. 

1. Please go to the Apple FairPlay page.
2. Click on the link to Request Deployment Package. You need to have a developer account before this.
3. If you are an organization you should use the organization account for this purpose. Companies outside the USA need to obtain a DUNS number in order to create an organization account.
4. After proceeding further, you should see a form to request the deployment package.
5. Enter your company and content details. Please take our help (support@vdocipher.com) to ensure that Apple doesn’t reject your use case as it can do for many cases.
6. If asked, you can enter our name “VdoCipher” in “Streaming Distribution Partner Name”
7. Confirm that you already have a “Keyserver module” setup and tested. You now need the “deployment package” for production.

Note that Fairplay DRM is only allowed for entities who are the content owner or have distribution rights to the content. Apple only provides Fairpay license when the video content is premium i.e. can only be accessed after payment.

FairPlay Streaming: Key Components

Apple FairPlay Streaming (FPS) is an essential technology for securing digital rights management (DRM) on Apple devices. To implement FPS effectively, several critical components must be integrated within your content delivery architecture. Here’s a breakdown of these components and how they interact to protect your streaming content:

Key Server and Key Security Module (KSM)

At the heart of the FairPlay implementation is the Key Server, which is responsible for managing the encryption and decryption keys. These keys are crucial for the secure delivery of DRM-protected content. Content service providers have the option to integrate a Key Security Module (KSM) directly on their key server. Apple provides a KSM sample that can be referred to during implementation, facilitating the validation and secure transmission of key request data from clients.

Client Application

The client application is designed to run on various Apple operating systems, including iOS, tvOS, watchOS, and macOS. This FPS client app communicates with the key server to request the necessary decryption keys for accessing protected content. Developers can utilize Apple’s provided sample code to build their own FPS client applications or opt for a comprehensive FPS SDK from a DRM solution provider. This flexibility allows content service providers to tailor the client app to meet specific operational needs or user experiences.

FPS Content and Encryption

For content that utilizes FPS, it is essential to encrypt each HLS (HTTP Live Streaming) segment using the SAMPLE-AES encryption method. The standard encryption protocol used here is AES-128 CBCS. To manage this, content providers can employ tools like the Shaka Packager, which facilitates FPS packaging by adding the necessary KEY tag to the m3u8 playlist. This tag includes all pertinent information required for decrypting the HLS content, ensuring that the encryption aligns with Apple’s stringent security standards.

How To Use Fairplay DRM Deployment Package?

You should have received an FPS_deployment package file from Apple. Open the zip file. You should find a PDF document titled: “FPSCertificateCreationGuide.pdf”.

This pdf describes the process of creation of an RSA key-pair and then getting the public key signed by Apple. In the process, it also generates an ASK. This key is a 32 character alphanumeric string associated with your Fairplay DRM. Once the process is complete, you can share your private key, challenge password, signed certificate, and the ASK.

Checklist before proceeding:

1. Make sure you understand the overall process.
2. Make sure your hardware and OS is stable enough and has power backup so that it does not shut down unexpectedly. You can not recreate the keys if anything goes wrong, so prepare for such events.
3. In case of any issue, we are always there for help. If you need help with the key generation and signing process, we can offer guidance through a remote desktop session or skype.
4. Understand that it is your responsibility for the safe-keeping of generated keys.

How do we use the above keys?

The Apple FairPlay DRM is a multi-component system. It also requires us to maintain the media keys in our database.

– When the player loads, it requests the signed public certificate.
– The FairPlay DRM device uses the certificate to create a license request.
– The license servers can read the “license request” using the “private key” and corresponding challenge password.
– The ASK is used to create the license containing the content keys.

How do we store your keys?

– We have dedicated license servers and licensing database separate from the rest of our infrastructure. The license database is heavily access controlled.
– We save your encrypted private key for FairPlay DRM in Google Storage or AWS S3 for Video Streaming.
– Private keys and challenge passwords are only accessible from license servers.
– The challenge password and ASK is stored in MySQL Database encrypted by a session key held in license server application.
– The signed certificate is kept in separate S3 and is public readable from a CDN. The FairPlay DRM in the player will load this certificate on your website or mobile app.
– We have set up encrypted backups every 6 hours.

Safe-keeping

Although we take extreme care of your keys, we do not allow retrieving the keys in future. We expect you to safe keep all your keys. You should make sure backups of the keys and ensure that they remain accessible to only authorised persons. As a checklist, here is a list of things to keep for FairPlay DRM.

1. The private key (file)
2. Challenge password (string)
3. ASK (string)
4. Signed certificate (file)

It is recommended not to trust your memory and keep all the files and associated passwords in digital format.

The steps for generating and signing keys

Step 1. Generating key pair with private key (.pem) and signing request(.csr) files.

i) When asked to enter a challenge password, you should first write down the password somewhere safe.
ii) Copy it from there once.
iii) When asked for verification type the password without pasting.

Note that when typing in the terminal, you should not see anything on the screen. That is how the terminal hides passwords.

Step 2. Signing the key requires an active Apple developer program membership.

• Follow the exact process as described in the PDF document provided by Apple.
• You should receive the ASK and need to type it again. Make sure you have it copied to a safe place before typing it again.
• After proceeding, it should ask you to download the certificate file. (.cer)
• The document should ask you to save the certificate in Keychain. This step is only for safekeeping. It does not affect any functionality.

 

The process is now complete. In the end, you should have the following files safe:

1. Private key file (.pem)
2. Challenge password for the private key
3. ASK
4. Certificate file (*.cer)

Send your Apple Fairplay DRM keys to VdoCipher:

1. To share the above keys with us, use our email info [at] vdocipher.com. Do NOT use any other email or cc another email to the email. This process is to ensure that the files and passwords remain within our systems.
2. You should delete the email from your email servers after receiving confirmation from us.

How To Publish Videos On Your Site/app with Fairplay DRM & VdoCipher

Once you have shared the keys with VdoCipher, we will integrate it with streaming for your account at the backend. You don’t need to do any modifications to integrate VdoCipher. With our standard APIs or plugins, you can integrate our streaming player and enjoy secure embeds in the site or app.

What is The Technology Architecture behind Apple Fairplay DRM

The security of the content stream lies in the way encrypted content is transferred over the internet in a highly secure manner with a black-boxed key exchange mechanism.

FairPlay DRM files are encrypted using the AES algorithm on mp4 container files. The security of any encryption technology lies in the openness/closeness of its key exchange mechanism. For Fairplay DRM, the key for decryption is kept again in encrypted format in a closed box environment. The reason this close box is high secure is that Apple can control the total device and browser environment (Mac & iPhone). It is the same reason that the same DRM can’t work on android or chrome, because Apple can’t implement a hidden box environment in such cases.

Here are some details of DRM + Streaming infrastructure with VdoCipher

• Video Ingestion – You can upload videos through the dashboard, or using our upload APIs.
• Video Transcoding  –
  • Encoding videos to multiple sizes for different devices and net speed.
  • Encrypting the video (CENC).
  • Video File packaging and Key generation from the DRM license server
• Apis or plugins for Video Management 
• Encrypted video files are streamed through Amazon AWS Cloudfront and Google Cloud Platform CDN Edge locations to ensure fast video streaming
• Secure Online Video playback
  • Embed Code to generate Dynamic URLs (HTTP Post request including client secret key to get unique OTP)
  • Unique OTP is then sent by the DRM Server
  • The encrypted video file is decrypted in Browser/ Device’s trusted environment. The video is rendered via the video player, which can switch across different streams of different bitrates.
• Multi-DRM: For content creators wishing to stream across all devices and software, they need a multi-DRM strategy. At VdoCipher we provide Widevine for Chrome, Fairplay for Apple devices, with Flash as a fallback. This multi DRM solution ensures that content providers can fully rely on VdoCipher for distributing content on all devices.

Key Features And Benefits of Apple Fairplay DRM

These are some of the most important features of Fairplay DRM and their benefit.

Hardware DRM support

This feature is similar to widevine’s L1 security. Here you have security at the hardware level. This includes all the client environments that are compatible with Fairplay DRM. Through this you can ensure that screen recording is completely blocked.

Content Key Expiration

Fairplay DRM allows you to create expiring content keys. These expiring content keys allow you to allow playback for a limited period of time. A good example for this would be rental videos online. Also you can fix the number of simultaneous video playback for a single user account. Using this you can restrict the number of users similar to what Netflix does. 

Offline Playback

Fairplay DRM supports the download and offline playback of videos through native app. Apple provides the relevant APIs to handle the downloading of videos and managing the hls content through offline licenses.

How Does FairPlay Streaming Work?

Let’s have a look on how various elements in FairPlay work with each other stream encrypted content.

1. User interacts with the video player on the content provider’s app. 
2. Application then notifies AVFoundation about the video playback
3. AVFoundation downloads the HLS playlist for streaming.
4. AVFoundation then checks the KEY tag in the HLS playlist and ensures if the video file is encrypted. 
5. After the confirmation, AVFoundation requests the encryption key from the AVFoundation app delegate.
6. App delegate in turn asks for Server Playback Context(SPC) data from AVFoundation.
7. Upon receiving the SPC, App Delegate sends the SPC to the key server.
8.  Afer interpreting the SPC data through KSM module, it retrieves the key from the keydatabase.
9. Key server then sends the key to the AVFoundation delegate in the form of Content key context(CKC)
10.  AVFoundation delegate then pushes the CKC data to AVFoundation
11. AVFoundation then decrypts the key and streams the content securely

FAQs on Apple FairPlay DRM iOS

By now you must have got a fair enough idea on Apple FairPlay DRM iOS and Safari Video Security. It is a must-have for video protection on Apple devices.However, if you still have any doubts left about it and want to know more, then here we have mentioned some frequently asked questions. This will give you more understanding of Apple FairPlay DRM iOS:

Does Apple still use Fairplay?

Yes, Apple uses Fairplay DRM to secure its music content and Movie platforms also use Fairplay DRM to secure videos on Mac and IOS.

Does Fairplay DRM support Safari?

Yes Apple Fairplay DRM supports high secure playback in Mac Safari, IOS Safari and IOS App.

How can I get Fairplay License from Apple?

Please contact support@vdocipher.com for a detailed guideline from VdoCipher on applying and integrating Apple Fairplay DRM.

Does Fairplay DRM prevent video downloads?

Yes Fairplay DRM prevents illegal video downloads because of its strong encryption.

Does Fairplay DRM prevent screen capture?

Yes Fairplay DRM also blocks screen capture in Safari & IOS App.

Is Fairplay DRM free?

Apple Fairplay DRM integration is technically handled by DRM companies like VdoCipher to ensure the highest security on IOS and Mac.

How to secure videos from piracy in IOS App?

The highest security in the IOS app is ensured with the integration of Fairplay DRM. VdoCipher provides integration for Fairplay DRM

How to secure videos from piracy in IOS?

The highest security in IOS is ensured with the integration of Fairplay DRM. VdoCipher provides integration for Fairplay DRM.

---

We’ve also written a blog on how to stream videos on iOS using AVPlayer, do check it out to know more about video streaming in iOS.