Installing own App on Rooted WebOS LG TV - drm

I am trying to install my own web App to a ROOTED LG TV, ignoring Developer mode status. I have successfully run it with Devmode = On, but it expires after 48 hours, and I have to do it over. I want to use the TV as a menu display. I can install my App, using "ApplicationInstallerUtility -c install -p /tmp/com.xxx.xxx_1.0.0_all.ipk -u 0 -l /media/cryptofs -d", but when I try to start it with Developer Mode = Off , using ssh and luna://com.webos.applicationManager/launch, I get an error code 302, and a text "errorText": "Failed to identify a proper DRM file".
What can I do to solve this issue? How can I sign my app, without going to LG content store? Thanks in advance.

Many DRM implementations will have a check for rooted devices and will not work if they detect the device is rooted - the logic is that a rooted device may not have the same protection for the media path and the keys.
If for your use case you don't actually need DRM, which could be the case if the streams you want to play are not encrypted, then it may be worth looking at your application and removing any DRM configuration or libraries it includes.
Update
The term DRM can be used generally to describe Digital Rights Management for anything, e.g. software, book, media etc, or to refer to the common DRM solutions used to protect media such as Widevine, PlayReady, FairPlay etc.
Unfortunately, the LG WebOS documentation seems to use the term for both which makes it hard to interpret the type of error you are seeing.
The manual for the error code you are seeing simply suggests the error message should be "Failed to check DRM.'
http://webostv.developer.lge.com/api/webos-service-api/application-manager/?wos_flag=launch#launch.
This might be a reference to a media DRM, but it also could be talking about the DRM used to sign and protect apps themselves.
LG have a WebOS security solutions guide also that explains their app signing security which you may be able to find on the web.
I suspect that the error message you are seeing is related to this use of the term 'DRM'.
Assuming that is the case, then unfortunatly, you are either going to have to remove this security framework in your device, which I suspect will not be trivial, or submit the app to the LG content store.

Related

Prompting for Bluetooth permission on Big Sur (11.0.1)

Upon upgrading to Big Sur (macOS 11.0.1), our app is now asking the user to grant permission to use Bluetooth. However, we are not running any bluetooth code to my knowledge. We do link to CoreBluetooth, but it's been like that for a long time, and this prompt has not appeared.
When running in Xcode 12.2 it does crash with this message:
2020-11-13 13:21:58.685610-0800 Fuze[31049:200367] [access] This app has crashed because it attempted to access privacy-sensitive data without a usage description. The app's Info.plist must contain an NSBluetoothAlwaysUsageDescription key with a string value explaining to the user how the app uses this data.
But to my knowledge, NSBluetoothAlwaysUsageDescription is only applicable for iOS devices.
I suspect this is something new with Big Sur, because the System Preferences UI for Security & Privacy -> Privacy, did not have a Bluetooth section in Catalina, and it does in Bug Sur. But the Apple documentation does not make mention of this key being applicable for macOS.
https://developer.apple.com/documentation/bundleresources/information_property_list/nsbluetoothalwaysusagedescription
So my questions are:
Is this key now applicable for macOS and we should have it, even though the documentation says it's only for other platforms, or is there a different key for bluetooth for macOS? I haven't found one.
Is there a way to control this prompting or not, because we aren't actually using the bluetooth code. We need the framework for a particular feature, but it's not applicable for many users, so it's confusing to ask permission for it right when the app launches.
Thank you!
I'm not confident about this, but I've been running into some Bluetooth on Big Sur strangeness today as well. In my case, I run a Bluetooth peripheral from the Terminal, and I was also recently prompted to provide the Terminal with Bluetooth permission (which I'd never seen before).
For testing purposes, you can try the "Privacy — Bluetooth Peripheral Usage Description" or "Privacy - Bluetooth Always Usage Description" - and see whether that resolves the crash (I assume it would). It's strange, as I didn't think either of these were required in the past - but it looks like Big Sur is definitely cracking down on permissions.
When you go to "Signing and Capabilities", if there is an option to enable "Hardware -> Bluetooth" in the "App Sandbox" - I would try that out too (you may also need to enable Location, but I can't recall). I'm curious if modifying that flag would change anything regarding permissions.
When you link to CoreBluetooth, are you using the API at all? Because the permission check should happen on the first API call. But, Bluetooth is weird, so it might kick in as soon as the app launches...
In thinking about it, I've actually never optionally used Bluetooth in an app - it's always initialized from app start, so I can't say when the permission check occurs.

Bypassing HDCP protection

I am a Linux user and was unhappy to discover that HDCP protection on websites such as vhx.tv is preventing me from viewing the content in perfectly legitimate contexts because all Linux browsers lack HDCP support. Since HDCP was "broken" years ago, in terms of master key leaking, any device could theoretically authorize itself against an HDCP check.
Hypothetically, what is preventing someone from either writing a browser extension or creating a custom firefox build that overrides the DRM API in this way?
Why is there no such project, is it just a lack of interest or is there a hard technical barrier that is preventing this? How can anyone say that HDCP was "broken" if not even legitimate users can circumvent it when they wish to do so (eg. to watch DRM content on Linux)?
DRM systems are not within the browsers control usually, they are self-contained blobs, and the only way to get licenses (and therefore the content keys) is by using the DRM module to do a license acquisition operation.
Getting the license and decrypting and displaying the content happens within the DRM component (outside the purview of the browser) and can therefore not be accessing from a browser extension. The only way to get around that, would be to create an unauthorised version of the DRM module, get that loaded in the browser, and not have the server side code discover that the DRM module has been altered. This is generally very hard, and that is really what makes the DRM module work.

How to Programmatically Detect Interop-unlocked Windows Phone devices? [duplicate]

Since I am new to Windows Phone Technology, I want to programatically find in my application that windows device is rooted/jailbrake or not. I found many links but it seems like no way for finding rooted windows device programatically. So is there any way to find rooted/jailbreak windows device programatically any API available for this ? Can anyone help me ?
Thanks
Rooting and/or jailbreaking is not officially supported by Microsoft and therefore there is no official way for you to check if your application is running on such device.
In principle, you could check that, but that check would involve adding stuff to your application that would not pass the certification which means that you can run that application only on jailbroken device.
Which then means that you don't need to check at all since you already know that you are running on such hardware.

Windows Phone 7 Security Issues

I was looking into OWASP Top 10 Mobile Risks for security issues to be kept in mind while developing mobile applications. They have given very good information pertaining to Android and iOS platforms. Some notable ones include Client Side Injections, iOS Abusing URL Schemes, Android-Abusing Intents, Keystroke logging, Screenshots/iOS Backgrounding, Logs etc.
These were very useful and now I want to know if there are any new vulnerabilities that exist in Windows Phone 7 , which were not present in Apple iOS and Google Android.
My requirement is, I need to build somewhat like a Damn Vulnerable WP7 App to educate the WP7 developers in my project to build secure applications for our clients.
OWASP has already built iGoat (iOS application) and DroidGoat (Android application) for the sake of iOS and Android developers. I dont see any such application for Windows Phone 7.
Currently WP7 appears to be a very secure OS. Whilst I am sure it has vulnerabilities, these have not been exploited yet. Interestingly AVG released an anti-virus / malware app for WP7. This was pulled from the marketplace because it didn't actually do anything since there are no viruses for the phone yet!
http://www.winrumors.com/microsoft-pulls-avg-antivirus-windows-phone-app-from-the-marketplace/
There has been a recent SMS flaw discovered:
http://nakedsecurity.sophos.com/2011/12/14/windows-phone-7-5-susceptible-to-sms-hack/
Having said that, there is still a need to educate developers about security. You can of course build an application which has its own security vulnerabilities by failing to protect the users data for example.
if there are any new vulnerabilities that exist in Windows Phone 7
Actually, I dare say there ain't any old ones either. Most of the security issues on Android is caused by the ability to change the system 110%. Windows Phone don't have intents, don't allow process inspection, or access to the raw file-system.
As Colin said, the security issues there can occur is related to data handling. For instance, the isolated storage can be inspected by jailbreaking the device, and as such you can read out unencrypted passwords (or other personal data) from the isolated storage.
However, to jailbreak a device, you need physical access to it. And you can't remote install a application for inspecting the isolated storage, even if the device was jailbreak'd. It can only be done by USB.

Cross platform multimedia kiosk

My team is tasked with building a full screen, kiosk-style application for playing back media files. Initially we need to support WMV / MP4 as well as some images in full 1080p, although down the line we will need to extend this to cover other formats (different videos formats as well as display of HTML, SWF, etc).
The application also contains a decent chunk of business logic relating to scheduling, logging, performance monitoring as well as network code to talk to a central server through web services (or maybe TCP) and potentially act as a server itself.
For our WMV / MP4 video playback, hardware acceleration will be a massive bonus. The targetted hardware has weak CPUs but strong graphics cards.
Here's the kicker: we're a .NET shop (our existing application is a WinForms smart client) and extremely experienced and productive in C# and the .NET stack. The app will initially be targetting Windows Embedded (.NET 3.0), but we will quickly need a Linux version as well. Between us we have some C/C++ experience and some Linux experience but we do not anticipate good productivity on that platform.
So I am soliciting recommendations specfically on the following points:
Video. On Windows we have seen good success using DirectShow.NET. On capable hardware, the WPF MediaElement also seems to perform well. What should we be using on Linux? libavcodec seems like a common choice. Is it hardware accelerated on NVidia graphics cards on Linux? What other options do we have on Linux? Is there something cross-platform that I could consider?
Stack.
a) Ideally we could write the whole thing in .NET and then run under Mono on Linux. The video playback and presumably some other components (like performance monitoring) would not be supported on Mono. I guess we could rewrite these elements in, say, C++; but I'm guessing that most stuff on the business logic side would work.
b) Maybe it's better to forfeit our up-front productivity on the Windows version for something that's cross platform out of the gate. What about Java? Do we have different options when it comes to video there? How about another framework? Something like QT? Can anyone else suggest something cross platform that would be relevant?
Broadly speaking, given the requirements, what would you use?
I appreciate any anwsers you might have.
My suggestion is that you use Fluendo's GStreamer components for the video playback as it has support for hardware acceleration where available and fully licensed codecs.
You can look at the Banshee media player which support video playback if you have the Fluendo/GStreamer packages installed. Get OpenSUSE 11.2 which contains everything you need to try it and develop, and then buy and install the Fluendo codecs.
Source code wise, Banshee does the video display from C#, look here:
The C# source code consuming GStreamer and doing the video rendering is here:
http://git.gnome.org/browse/banshee/tree/src/Extensions/Banshee.NowPlaying/Banshee.NowPlaying
The C supporting library to call into Fluendo is available here:
http://git.gnome.org/browse/banshee/tree/libbanshee
For testing Banshee, you do not need to buy anything, but your video codecs will be limited to Ogg/Theora encoded videos. Once you get Fluendo's codecs you will be able to play WMV files.
One option would be to use Silverlight, and explore Moonlight as an option for the linux version. My understanding is that Moonlight has several media/codec plugins (I believe ffmpeg is the main provider) and can additionally use the MS codec pack to give you support for things like WMV/MP4.
You can use ffmpeg in mono and .net. This may or may not include video display - ffmpeg usually just provides you with a decoded bitmap that you can do whatever you want with, be it display it in a window, save it in a file, whatever. If you use ffmpeg-sharp the same code should work on Windows or Linux. Really, putting the bitmap in a window is the easy part.
Moonlight offers two codecs: (a) A fully licensed version that comes straight from Microsoft and requires no further negotiation with the MPEG-LA and other patent holders, or (b) an ffmpeg backend that requires you to negotiate with the patent stock holders if you plan on using.
You could build a Silverlight-based application, the trick to get access to the local system is very simple: you run a local web server that exposes those services.
You can still use C#/Sqlite or VistaDB as your storage system as part of your Silverlight application.
You could host the silverlight app in http://localhost/App.xap and this app would gain local access to the machine by contacting a REST or SOAP web service on http://localhost/rest.ashx or http://localhost/soap.asmx
For example, if you needed to read some values from a scanner connected to the machine, you would issue this request:
http://localhost/scanner.ashx?operation=scan_badge
Then your scanner.ashx HttpHandler will do the actual scanning (this one has full system rights) and return the value to the Silverlight application.

Resources