Widevine DRM protects video content across browsers, mobile devices, smart TVs, and casting devices. It ensures secure playback through Content Decryption Modules (CDMs), encryption, and device-level enforcement policies.
Widevine supports three security levels (L1, L2, and L3), which determine playback quality and security based on hardware capabilities and attestation. Device integrity is verified using attestation protocols, such as Trusted Execution Environment (TEE) validation for L1 playback.
Widevine Security Levels and Device Compatibility
Widevine classifies devices based on hardware and software security capabilities. The security level directly impacts playback quality and robustness.
| Security Level | Description | Common Devices |
| L1 | Highest protection: hardware-backed key storage, secure video path, and device attestation via TEE. | Modern smartphones, smart TVs, and Chromecast Ultra. |
| L2 | Partial hardware protection: software-based decryption with trusted OS components. | Some Android tablets and mid-tier phones. |
| L3 | Software-only decryption, and minimal protection. | Browsers without hardware DRM and legacy devices. |
Note: Devices must pass Widevine"s integrity checks during license acquisition. L1 devices require TEE attestation to ensure keys are processed in secure hardware. Devices failing attestation are downgraded or denied playback.
Cross-Platform CDM Integration
Widevine uses dynamic keys to reduce long-term risk. License servers can enforce rotation, expiration, and device binding policies.
{
"content_id": "12345",
"allowed_track_types": ["SD", "HD"],
"security_level": "L1",
"license_duration": 86400
}
Explanation:
- content_id ties the license to a specific asset.
- allowed_track_types restrict playback based on device security.
- license_duration limits how long a license is valid.
Offline playback stores keys securely, but devices must periodically revalidate licenses, even without network access.
val offlineLicense = mediaDrm.provideKeyResponse(sessionId, licenseData)
if (offlineLicense.isNotEmpty()) {
saveLicenseToStorage(offlineLicense)
}
Key Rotation and Policy Enforcement
Widevine checks device integrity using attestation protocols before allowing high-security playback. L1 requires TEE attestation, verifying that keys will stay within a secure hardware boundary. The CDM communicates attestation results during license requests.
Revocation:
Compromised devices or emulators may be blocked using Certificate Revocation Lists (CRLs) or dynamic revocation; if a device is flagged, license requests will be denied. This prevents playback on rooted/jailbroken or tampered devices.
Platform CDM Integration
Widevine integrates with CDMs across browsers and OS platforms. Despite different implementations, the license acquisition flow remains consistent.
function requestLicense(initData) {
const session = mediaKeys.createSession();
session.generateRequest('webm', initData);
session.addEventListener('message', handleLicenseResponse);
}
Explanation:
- mediaKeys.createSession() initiates an EME session.
- generateRequest() sends a license request to the Widevine server.
- handleLicenseResponse parses and installs the key securely.
Browsers like Chrome and Firefox use EME, while Android apps use MediaDRM APIs. On iOS, Widevine is only supported in browsers, not native apps.
Mobile DRM: Android and iOS
Android (MediaDRM + TEE)
Android uses MediaDRM for decryption. On L1 devices, keys are handled inside a Trusted Execution Environment (TEE).
MediaDrm mediaDrm = new MediaDrm(UUID.fromString("EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED"));
byte[] sessionId = mediaDrm.openSession();
mediaDrm.restoreKeys(sessionId, keySetId);
Explanation:
- openSession() establishes a secure session. restoreKeys() retrieves stored keys for offline use. HDCP output protection is enforced when casting to external displays.
iOS and Safari
Native iOS apps use FairPlay, not Widevine. In browsers like Safari, Widevine is supported via Encrypted Media Extensions (EME):
let assetLoader = AVAssetResourceLoader()
assetLoader.setDelegate(drmDelegate, queue: DispatchQueue.global())
On iOS, Widevine support is limited to Safari with EME. Native iOS playback must use FairPlay due to lack of system-level CDM support.
Multi-Screen Playback: Casting and Mirroring
Widevine supports casting via Google Cast and AirPlay, with dynamic license enforcement depending on the target screen"s capabilities.
- Chromecast Ultra supports L1 and enforces full HD/4K.
- Older Chromecasts and many AirPlay targets default to L3, causing resolution downgrade.
The Cast receiver app must include a CDM, while the sender handles license proxying and playback security.
Performance Considerations: L1 vs. L2 vs. L3
| Factor | L1 (Secure Hardware) | L2 (TEE-based Decryption) | L3 (Software Decryption) |
| Battery Usage | Higher Due To Secure Video Pipeline And Tee Switching. | Moderate"Less Efficient Than L1, More Efficient Than L3. | Lower Power Draw. |
| Latency | May increase due to hardware communication. | Slight"involves TEE, but avoids hardware-video pipeline. | Minimal |
| Resolution | Supports HD/4K | Typically supports HD; may be capped below 4K. | Often capped at SD |