Widevine is a Digital Rights Management (DRM) system that secures content from unauthorized downloading and redistribution. Integrated into Android OS, Chrome browsers, and Chromecast devices, Widevine operates through three security levels (L1, L2, and L3). Each of these levels is defined by the hardware and software capabilities of the client device.
These levels determine how securely content keys and video streams are handled during playback and are selected based on the compliance of the playback environment with Widevine's licensing requirements.
Security Levels of Widevine
Widevine supports three security levels, each offering a different combination of encryption, decryption, and video processing capabilities. These levels determine the protection provided to video content during streaming or playback.
L1: High-Security Level with Hardware-Based Decryption
L1 is the most secure level in the Widevine DRM system. Hence, decryption and processing of video content occur within a Trusted Execution Environment (TEE) or Hardware Security Module (HSM). These secure environments are isolated from the rest of the system. Thereby, they protect decryption keys and prevent unauthorized access.
Key Characteristics:
Full Hardware Decryption: Content is decrypted inside a reliable and isolated environment in the device's hardware, preventing unauthorized access.
Playback of HD and UHD Content: Only devices that support Widevine L1 can stream premium content, including 4K UHD video, in a secure environment.
Use Cases: L1 is used for streaming premium content, and decryption & video processing occur within a TEE. This minimizes the exposure of content during playback and aligns with distribution requirements for high-value media.
Example Devices Supporting L1 Security:
Smartphones: Samsung Galaxy S21/S22/S23, Google Pixel 6/7/8, OnePlus 9/10, Xiaomi Mi 11
Smart TVs: LG OLED Series, Samsung QLED, Sony Bravia 4K and 8K TVs
Laptops/PCs: MacBook Pro (2021+), Surface Laptop 4/5, high-end Windows PCs
Example: Detecting Widevine security level on Android
val drm = MediaDrm(UUID.fromString("edef8ba9-79d6-4ace-a3c8-27dcd51d21ed"))
val securityLevel = drm.getPropertyString("securityLevel")
Log.d("Widevine", "Security Level: $securityLevel")
Explanation:
- UUID.fromString("edef8ba9-79d6-4ace-a3c8-27dcd51d21ed"): This creates a UUID object for the Widevine DRM system. The string passed is the Widevine UUID.
- MediaDrm: This class is used to manage the decryption and license retrieval process for DRM-protected content.
L2: Medium-Security Level with Partial Hardware Decryption
L2 security combines both hardware and software for decryption. While the video content is decrypted within a Trusted Execution Environment (TEE), video processing for playback occurs outside the secure environment, on the general-purpose CPU.
Key Characteristics:
Hardware-Based Decryption: Video content is decrypted in a secure environment (TEE), but the video processing occurs on the CPU.
Content Protection for Non-Premium Streams: L2 supports HD content but is not suitable for UHD content because video processing is done outside the TEE.
Use Cases: L2 supports devices that require moderate security but don"t need the highest level for HD content. It is used for mid-range smartphones and smart TVs.
Example Devices Supporting L2 Security:
Smartphones: Samsung Galaxy A52/A53, Xiaomi Redmi Note 11/12, Motorola Moto G Power
Tablets: Samsung Galaxy Tab S7, Lenovo Tab P11, Huawei MatePad Pro
Smart TVs: TCL 5-Series, Vizio 4K Smart TVs, Hisense U6G
L3: Low-Security Level with Software-Based Decryption
L3 is the lowest security level in Widevine, where decryption is performed in software on the device"s CPU. While this allows for broad device compatibility, it offers the least protection against piracy. Decryption keys are stored in the device's memory and are vulnerable to extraction by malware or unauthorized users.
Key Characteristics:
Software-Based Decryption: Decryption is performed by the main CPU rather than hardware, making it more vulnerable to attacks or piracy.
Low Protection: L3 is used on devices without hardware-backed DRM capabilities and is applied to content with less stringent security requirements.
Use Cases: L3 is suitable for lower-resolution content or devices incapable of supporting hardware-based security (e.g., budget devices or non-secure environments).
Example Devices Supporting L3 Security:
Smartphones: Older models like the Motorola Moto E, Xiaomi Redmi 9, or Samsung Galaxy A10
Tablets: Budget Android tablets such as Amazon Fire 7 and Lenovo Tab M10
Smart TVs: Budget 4K models like Insignia, Sharp, or Element TVs
Impact of Widevine Security Levels on Video Content Protection
L1 Security for Premium Content
Protects the content to the highest standard. By isolating decryption and video processing in a reliable hardware environment, it prevents the content from being illegally captured or intercepted during playback. Video services offering high-value content rely on L1 for strong content protection.
L2 Security for HD Content
Strikes a balance between performance and protection. While it provides hardware-based decryption, the processing is done on the general CPU. L2 streams HD content but falls short for UHD content for the highest level of protection. Streaming platforms may choose L2 for HD content delivery on devices that support moderate security.
L3 Security for Low-Value Content
Suitable for less valuable content, such as standard definition video streams. Devices without secure hardware can still decrypt video content, but the lower security level increases the risk of piracy. L3 is typically used in environments where content protection is not a high priority.
Implementing Widevine DRM with ExoPlayer (Android)
To implement Widevine-protected playback in Android apps, developers use ExoPlayer. It is a media player that supports encrypted streaming through its DrmSessionManager and integrates seamlessly with Widevine Modular DRM.
Example: ExoPlayer configuration for Widevine DRM playback
val drmSessionManager = DefaultDrmSessionManager.Builder()
.setUuidAndExoMediaDrmProvider(C.WIDEVINE_UUID) {
FrameworkMediaDrm.newInstance(C.WIDEVINE_UUID)
}
.build(HttpMediaDrmCallback(licenseUrl, DefaultHttpDataSource.Factory()))
Explanation:
- val drmSessionManager = DefaultDrmSessionManager.Builder(): initializes the drmSessionManager variable, which is responsible for managing Digital Rights Management (DRM) sessions in ExoPlayer.
- C.WIDEVINE_UUID: A constant that holds the UUID specific to the Widevine DRM system, used to configure the DRM session.
- FrameworkMediaDrm.newInstance(C.WIDEVINE_UUID): This creates an instance of FrameworkMediaDrm, which is an implementation of ExoPlayer's DRM system.
- HttpMediaDrmCallback(licenseUrl, DefaultHttpDataSource.Factory()): This creates a callback that handles the process of acquiring a DRM license from a license server.
- licenseUrl: This is the URL to the license server where the player will request the DRM license to decrypt the content.
- DefaultHttpDataSource.Factory(): This sets up the HTTP data source factory, which is used to make HTTP requests for the license.
Comparing Widevine Security Levels: L1 vs. L2 vs. L3
| Security Level | Decryption | Processing | Use Case | Video Quality | Device Support |
| L1 | Hardware | Hardware | Premium Content and 4K UHD Streaming | 4K UHD and HD | High-End Smartphones, Smart TVs, and Laptops |
| L2 | Hardware | CPU | HD Content on Mid-Range Devices | HD | Mid-Range Smartphones and Tablets |
| L3 | CPU | CPU | SD Content and Older Devices | SD | Budget Smartphones and Non-Secure Environments |