redefining content security whitepaper series android … · 2019-10-30 · redefining content...
TRANSCRIPT
REDEFINING CONTENT SECURITY WHITEPAPER SERIES
Android TV vs. AOSP Implications on Total Cost of Ownership and Content Security
conax.com
CONTENTS
Introduction......................................................................................................................................................................... 1
Delivering a Next-Generation User Experience.............................................................................................................. 2
Under the Hood .................................................................................................................................................................. 5
Securing Android Devices..................................................................................................................................................6
Comparing the Different Approaches to Android........................................................................................................ 8
Conclusion.........................................................................................................................................................................9
Over the last decade, the Android operating system has become one of the most widely used platforms
across different consumer devices. According to Gartner, 327 million out of 379 million smartphones sold in
the first quarter of 2017 ran Android (86.1 percent)1. While Android has seen wide success on smartphones
and tablets, its growth is not limited to those platforms. According to Google, more than 1 million activations
are added every two months on Android TV™. Additionally, more than 20 operators globally have launched an
Android TV service so far. Forecasts from IHS Markit indicate that shipments of Android TV devices will grow
by 44 percent CAGR from 2015 to 2020.
Five key drivers that attract pay-TV providers to Android set-top-box (STB) propositions are giving subscribers
access to apps and services, increasing end-user engagement, exploring new monetization avenues, reducing
the time to market for new STBs and decreasing churn by keeping subscribers on HDMI1 – TV input which is
controlled by the operator device.
Page 1
To gain a more in-depth perspective of the commercial
benefits it is essential to understand the different
variants of Android STBs that can be deployed in a
pay-TV operation2. These include:
1. Android TV STB
2. AOSP-based STB compliant with Android CDD
3. AOSP-based STB not compliant with CDD (a.k.a.
AOSP Fork)
1 https://www.gartner.com/newsroom/id/37251172 http://www.conax.com/press-events/webinars
WHAT IS AOSP?Android Open Source Project is a software stack and an open source project led by Google.
WHAT IS ANDROID CDD?Android Compatibility Definition Document (CDD) is a set of requirements that must be met in order for devices to be compatible with the latest version of Android.
Page 2
This paper will explore the pros and cons of each variant of Android in the context of STB development
projects for pay-TV operators. Furthermore, the paper will look at the difference in effort and complexity for
Android TV and AOSP based on compliance with CDD, providing insight into the commercial impact of each
variant for an operator and the overall benefits vs. trade-offs.
There are three key areas to consider for each variant, which impact one-time and long-term costs:
• User experience and interaction
• Under the hood hardware and software
• Content security
DELIVERING A NEXT-GENERATION USER EXPERIENCEPay-TV subscribers expect a smooth and rich user experience (UX) on Android devices, similar to what
they’ve encountered on smartphones. There are three ways that operators can streamline the UX for end-
users: through an optimized home screen, by providing the best content selection and by providing advanced
interaction options.
Creating a Custom Launcher/Home Screen When the STB is powered up it starts either in the
home screen of the operator (the operator app)
or in the application launcher where the user can
search for and select content and apps to launch.
The look and feel, as well as content offered,
through this entry point into the platform is vital
for the user experience of the service.
With AOSP, operators can completely customize
the home screen launcher on their STB device,
including control on operator featured content
(app and games) and features like search and
recommendation. The icon placements, and the UI
level at which content is made available, are defined
by the operator. Depending on the complexity of
the project this could take anywhere between
three to nine months to implement.The complete
choice of user experience, combined with operator
control over the placement of apps and services
makes it a good choice for operators that focus on
a custom branded user experience.
To customize the home screen user experience
using Android TV, operators have two options:
the Android TV standard launcher or an Operator
Page 3
Tier launcher. In the latest version of Android
TV (i.e. Android Oreo), there is a UI framework
to plug-in a list of pre-installed Android apps,
access to personalized recommendations, and
a placeholder for featured content determined
by the operator. It ensures increased visibility
of operator sponsored content on home
screens and search results to boost content
consumption. This is a good option for operators
looking to differentiate themselves through their
own content offering rather than through a branded
user experience. The configuration of the launcher
is simple and easy to do for OEMs compared with
the full-fledged launcher implementation of AOSP.
The Android TV Operator Tier launcher approach,
on the other hand, allows for UX customizations
as massive as that of an AOSP launcher. There are
some Android TV guidelines that must be followed,
but otherwise operators have a high degree of
freedom to define a unique look and feel. This is a
good option for operators that wish to differentiate
through a bespoke user experience. The trade-off
is a longer time to market when compared to the
standard launcher implementation.
Certain user interface and middleware technology
partners offer a customized UX template solution
that allows operators to choose from a menu of
skin-able, tweakable UX options. It is completely
different from the Android TV standard launcher
UX. From a complexity and timeline perspective,
there is additional effort involved, such as the
need to include a UI provider. Moreover, there are
additional checks and balances involved to ensure
compatibility with Android TV guidelines. From a
time to market perspective, this route is in the
middle compared with what an Android TV standard
launcher and a custom AOSP launcher offer.
AOSP: A custom launcher gives complete control on
the user experience, at the expense of additional
UI integration time and effort.
Android TV: The standard launcher comes built-
in with Android TV services and only needs
configuration to customize and go to market
quickly.
Page 4
Opening Up a World of Apps and GamesThe Android platform attracts a relatively large
developer network across the globe, thus allowing
a bigger base of apps and games to be offered to
consumers.
AOSP devices do not have access to the Play
Store. Operators can either choose to integrate
a third-party app marketplace or exert control
by selecting a limited number of apps, including
their own service offering, to be present on the
Android device, effectively building a walled-garden
approach. In terms of effort and complexity, third-
party app marketplaces necessitate integrating
back-end systems to monitor the ingestion of apps,
the distribution of apps to provisioned devices, and
to manage their lifecycle on the end-user devices
in addition to ensuring that these apps comply
with Android requirements. Additionally, operators
might want to hire independent software vendors
for app development and ramp up human resource
competency to seek and create app partnerships.
From an Android TV perspective, regardless of
whether the standard launcher or Operator Tier
launcher is used, these services are pre-built. The
five Google services — Play Store, Games, Movies,
YouTube and Music — are part of the software
stack once an operator signs an agreement for the
Android TV device. Deploying pre-installed Android
apps on the STB is fairly easy either through
the OEM or via a web-based portal provided by
Google. Operators are saved from having to engage
with multiple stakeholders to bring content to
subscribers. Updates to Android apps are delivered
via Google’s back-end to the STB devices.
Through full access to the Google Play Store,
Android TV benefits from a vast availability of
apps and services (currently more than 3000 apps)
from all types of providers. While this provides
operators’ subscribers with immediate access to
a world of content and apps, it does not provide
any means for the operator to block competing
services from their platform. Using the Operator
Tier launcher, operators can though ensure that
their own content is prioritized in the launcher and
the Android search engine.
AOSP: A good solution for a controlled walled-
garden app offering, but requires operators to
deploy infrastructure to roll out and maintain apps.
Android TV: With 3000+ apps available and Google’s
back-end infrastructure, the operator does not
need to hire additional technology partners.
Providing Advanced InteractionConsumers expect interaction with content to be
simple and innovative, with the ability to utilize
voice control services enhancing the entertainment
experience, to cast services to the large screen or
STB and play popular games on the big screen.
AOSP-based devices cannot be integrated with
Google Cast. Simulating the casting experience with
alternative technology needs additional integration,
with access to a limited number of supporting apps,
which might be useful for operators that choose
to provide such an interaction only with their own
service. Voice-based interaction, which comes at
an additional cost from third-party technology
providers, can be integrated by experienced
middleware vendors and system integrators. A key
consideration is the extent of deep integration of
voice interaction within the user experience of
the pay-TV service. It impacts the development
timelines of the operator UX and home screen.
Android TV, on the other hand, comes with Google
Chromecast built-in and regularly updated over
the air. Powered by Google’s back-end, the Google
Assistant provides AI functionality. Additionally,
voice search and voice control come free with the
Google TV services. As a consequence of Android
TV hardware requirements, the casual gaming
experience with TV remote control or Bluetooth
gamepads is a default feature.
AOSP: In order to deliver advanced interaction
solutions, operators need to engage additional
technology partners and incur additional costs.
Android TV: Brings forth next-generation
multiscreen interaction, voice interaction and
gaming experience with little or no additional effort.
Page 5
UNDER THE HOODDelivering user experience and interaction requires a certain level of hardware capability and software
development for the STB. Additionally, there are considerations around future software maintenance and
rolling out improvements and innovations to end-user devices.
STB Development Process AOSP devices have to be compliant with the
Android CDD in order to leverage the Android robot
branding. The turnaround time to complete this self-
certification process is relatively short. As there are
no hardware requirements for AOSP, these STBs are
cheaper from a bill of materials (BoM) perspective.
Choosing a more limited user experience, e.g.,
without voice interaction and gaming capability,
results in lower component costs. Furthermore, in
terms of software components, the AOSP source
code does not have the complete DVB/IPTV stack
built-in. Middleware vendors or system integrators
that bring this competency also provide a software
framework to intergrate an electronic program
guide i.e. EPG, a channel app and other features
like “now and next” programming events. There
are, consequently, proprietary implementations
that differ across various AOSP STBs.
In case of Android TV, this is a mixed bag. In addition
to being CDD compliant, Android TV devices need
to pass the Google Test Suite. The certification
process itself can take between four to six weeks
depending upon the preparedness and maturity
of the OEM. These tests impose performance
requirements that are fulfilled through the higher
minimum hardware requirements for Android TV.
While these hardware requirements i.e., better
chipset, higher memory and a Bluetooth receiver
drive up the BoM, in the long run the devices are
better equipped to perform with new features,
innovations and next-generation Android updates.
Like the AOSP devices, technology partners need to
bring the DVB/IPTV stack to an Android TV project,
which means cost and effort wise there are similar
implications between the two options. However,
the Android TV stack comes with a built-in TV-Input-
Framework (TIF), providing a common interface for
broadcast channel apps and on-demand services
to export the program metadata to a presentation
layer chosen by the operator. Being a TIF-compliant
device, with no additional implementation effort,
a subscriber can see the content exported from
linear and on-demand services in the channel’s app
and program guide, as a combined content-driven
experience.
AOSP: Higher cost of integration, due to more
software components, offsets the savings in
STB hardware with potentially limited interaction
ability.
Android TV: The STB is more expensive but has a
longer shelf life due to the advanced specifications.
Overall, the project is less expensive due to
software component reuse.
STB Maintenance and UpgradesFor AOSP devices, operators are in complete
control of updating the software on the STB.
There is no requirement from Android to roll out
upgrades. However, any feature improvements or
security patches made available in the latest AOSP
source code may or may not be rolled out to the
end consumer devices, based on the operator’s
preferences. While this lowers the CAPEX for
operators, it might leave the operations at risk
due to unpatched security flaws. Furthermore,
managing end-user expectations of new features
for Android STBs can be challenging and cause
operators to miss out on opportunities to monetize
new services.
Page 6
In the case of Android TV, OEMs make a
commitment to Google for updating devices in
the field for a period of three years. Upgrading
Android TV software could impact certification
of other software and services, such as DVB
and HbbTV functionality and others. From a
commercial perspective, managing the cost of
future upgrades is a discussion between the OEM
and the operator. In order to minimize the impact
of upgrades of Android versions, Google is actively
working on Project Treble, separating the vendor
implementation — the device-specific, lower-
level software written in large part by the silicon
manufacturers — from the Android OS framework.3
Thus, Google works with chipset vendors early on
to reduce dependency of the overall STB software
on the Android TV system updates over successive
generations.
AOSP: Depending on operator priorities, this
approach has limited maintenance costs at the risk
of losing out ability to roll out security patches to
vulnerable connected STBs.
Android TV: Mandatory upgrades add to total cost
of ownership over the lifecycle, but ensure well-
patched, secure STBs in the operation, while rolling
out innovations.
SECURING ANDROID DEVICESAs a platform for TV operators, Android opens up many opportunities. However, there are security hurdles
to overcome. Android can be prone to piracy due to the fact that it’s a very flexible platform, with a lot of
functionality and connectivity. With the Android platform, there is a large attack surface that is complex to
protect. When an app store is open and available to a large developer base, an STB is vulnerable to untrusted
apps. In addition, several development and debugging tools offered give access to core functionality, which
can be a security threat. To keep threats at bay, operators need to ensure they are securing Android devices
properly.
Live broadcast content such as sports is regarded by many as premium content with additional security
requirements. It’s critical to add an extra level of security in order to conform to the content owners’ security
demands. One key component in this security regime is to maintain a separation between the Conditional
Access (CA)/DRM functionality and the application environment in the Android OS. A number of separation
technologies are available, including Linux User Privileges, SE Linux, Linux containers, ARM TrustZone, secure
processing environments, and proprietary security cores.
As a content security provider, the Conax approach to securing Android devices leverages advanced hardware
mechanisms available in modern DVB chipsets to protect the CA and DRM environment from the vulnerability
of Android and malicious apps. The Conax approach is to use Trusted Execution Environments (TEE) to
build two separate worlds for stack execution with Conax Lynx, an advanced separation technique that
complements both smart card and cardless technologies. Using Conax Lynx, only predefined commands and
data can flow between the Rich Execution Environment (REE), where the Android functionality resides, and
the TEE, minimizing the attack surface of hybrid STBs.
3 https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html
Page 7
In addition to the separation of the CA/DRM environment, the Conax approach also leverages the Secure
Media Pipeline (SMP) of the chipset to ensure that a successful attack on the Android environment cannot
in any way compromise the security of the pay-TV content being accessed by the device.
This enables operators to distribute premium 4K and linear sports content via broadcast while simultaneously
offering an abundant selection of Android apps. The complexity of integrating security for broadcast content
is almost the same for both Android TV and AOSP when using Conax Lynx. Conax Lynx provides a standardized
API toward the Android stack, with the option of using the MediaCAS API from Android Oreo version onwards.
MediaCAS API is a Google defined interface which is designed to easily integrate CA implementations from
various vendors. Security vendors like Conax play a key role in this integration process.
In the world of OTT content and unmanaged IP devices, DRM plays a major part in content security. It’s
important to note that AOSP devices do not include a DRM implementation by default. Based on the operator’s
content needs, OEMs can integrate proprietary DRMs like Conax Connected Access or others like Microsoft
PlayReady and Google Widevine into the STB. Alternatively, the DRM can be included in the apps themselves,
but this adds significant complexity to the app. The level of DRM security required is mandated by content
rights owners, which further impacts the choice of chipset. Middleware vendors, system integrators and
OEMs work on different layers to integrate the DRM in the AOSP device.
For Android TV, both PlayReady and Widevine are mandated in the STB, and the OEM is required to have a
license for the same. Chip vendors pre-integrate the DRM stack in the chipset and deliver this to the OEM.
The OEM or middleware vendor additionally integrates the DRM into the secure player on the Android stack.
AOSP: No built-in DRM. Allows operator to pick and choose specific DRMs, resulting in higher project timelines
for DRM integration.
Android TV: Mandates Widevine and PlayReady DRMs in the STB. Ensures smooth integration of third party
OTT services.
Conax recommendation: Use TEE-based separation techniques to secure linear content on AOSP and Android
devices, which require the same effort.
SET-TOP-BOX
Android Middleware
Conax Lynx Main Agent
Conax Lynx Trusted Agent
REE
TEE
Secure Media Pipeline (SMP)
Middleware API
Page 8
Choosing Android TVWith Android TV, the key concerns are the cost
of STB hardware and the future maintenance and
upgrade costs of the software. Also, for some
operators, the inability to control which apps
and services are accessible on the platform —
including the presence of competitors’ services
— is a concern. The primary upsides include the
massive content offering via Google services like
Play Store and increased user engagement with
advanced interaction methods like Chromecast and
the Google Assistant built-in. All of this comes at a
relatively low level of complexity and effort thanks
to the reuse of several pre-built components in the
Android TV stack. Those wanting to differentiate
the UX can leverage the Operator Tier launcher
including white-label offerings. Additionally, well-
specified hardware with regular Android updates
extends the lifecycle of the STB with increasing
monetization opportunities.
Going the AOSP directionIn term of benefits of AOSP, the operator could
potentially have a cheaper STB device with the
freedom to control the user experience. It also
gives the operators better control of apps and
services being used on the device through an
operator controlled app store. This approach has
limited to no costs in terms of future upgrade
and maintenance. The downside is high upfront
project costs and longer timelines due to custom
launcher development, integration of multiscreen
interaction, voice interaction features and others.
Staying away from regular maintenance upgrades
leaves the operation vulnerable to security flaws.
Managing expectations of subscribers that choose
this Android STB proposition expecting a high
number of apps and games like that on the Google
Play Store will be a challenge for the operator.
COMPARING THE DIFFERENT APPROACHES TO ANDROID
Legend definition
Comparing the approaches to Android
Easy to customize Launcher / Home Screen
Access to a world of Apps & Games
Can block competitor apps on the STB
Easy to integrate Voice interaction
Easy to integrate Google Cast
Low STB hardwares cost
Additional certifications & compliance
Ease of integrating DVB/IPTV stack
Complete Operator control on STB software update
Easy to integrate CA for linear content
Easy to integrate DRM for on demand content
Availability of Android feature updates
RecommendedSub-optimalNot Recommended
Page 9
CONCLUSION
Providing a top-notch user experience is a key to success in today’s pay-TV operations. Television viewers
expect a user-friendly interface or home screen on STBs that mirrors the experience they’re used to on other
devices like smartphones and tablets. Moreover, they want access to more than just linear and on-demand
content. There’s an entire world of apps and games that can be explored and enjoyed on TV screens.
Operators are competing with OTT apps like Netflix, Amazon Prime, HBO, Discovery, iFlix and Maxdome and
facing an increase in cord-cutters and cord-nevers. Android enables them to offer a host of services to
end-users and tap into new revenue opportunities. It is not easy to jump from a broadcast infrastructure to
full IP overnight, therefore a lot of new service introductions using Android-based hybrid STBs are expected
in the near future.
The choice of Android AOSP versus Android TV should be aligned with the operator’s business strategy
and the total cost of ownership. The previous section summarizes the implications of each approach from
a short-term and long-term perspective. Considerations around user experience and branding, end-user
engagement and churn, future monetization opportunities, project complexity, time to market and content
security must be carefully weighed to reach a decision.
To be competitive, operators today need to launch new services and features quickly and provide a next-gen
user experience. Ultimately, Android TV enables them to do that, offering a shorter time to market for new
offerings compared with AOSP, more advanced features e.g., voice interaction and gaming and access to a
world of content by offering over 3000 apps in the Google Play Store. Innovations can be rolled out without
STBs being vulnerable to security threats.
Conax offers a unique approach for Android that separates the linear content from the Android environment
leveraging advanced separation technology provided by Conax Lynx. Combined with the multi-DRM
functionality of Conax Contego, our world-leading content protection platform, we simplify content security
operations for operators and ease the migration to hybrid Android STBs.
About the WhitepaperThis paper was written based on research with multiple industry stakeholders who develop Android set-
top-box solutions, combined with Conax’s in-house expertise in providing security to Android STBs for pay-
TV operators. We would like to give a special thanks to the team from Google for providing input and for
participating in the review process.
Interested in becoming a Conax partner? Contact: [email protected]
Request a demo or visit from us? Contact: [email protected]
Need more information on Conax solutions ?
www.conax.com [email protected] T: +47 22405200
About ConaxA Kudelski Group company, Conax is a leading global specialist in total service protection for digital TV and entertainment services via broadcast, broadband and connected devices. Based on the Conax Contego security back-end, Conax’ future-ready technology offers modular, fast-time-to-market solutions that enable easy entry into a world of secure multiscreen, multi-DRM and IPTV content delivery and secures rights for premium content delivery to a range of devices over new hybrid network combinations. Headquartered in Oslo, Norway, Conax technology enables secure content revenues for 425 operators in 85 countries globally.
For more information, please visit www.conax.com and follow us on Twitter and LinkedIn.