For years, Digital Right Management (DRM) systems have been used as the go-to solution for media content protection against piracy. With the growing consumption of content using Over-the-Top platforms, such as Netflix or Prime Video, DRMs have been deployed on numerous devices considered as potential hostile environments. In this paper, we focus on the most widespread solution, the closed-source Widevine DRM. Installed on billions of devices, Widevine relies on cryptographic operations to protect content. Our work presents a study of Widevine internals on Android, mapping its distinct components and bringing out its different cryptographic keys involved in content decryption. We provide a structural view of Widevine as a protocol with its complete key ladder. Based on our insights, we develop WideXtractor, a tool based on Frida to trace Widevine function calls and intercept messages for inspection. Using this tool, we analyze Netflix usage of Widevine as a proof-of-concept, and raised privacy concerns on user-tracking. In addition, we leverage our knowledge to bypass the obfuscation of Android Widevine software-only version, namely L3, and recover its Root-of-Trust.

翻译：多年来，数字版权管理（DRM）系统一直被用作保护媒体内容免受盗版的首选解决方案。随着通过Netflix或Prime Video等OTT平台消费内容的增长，DRM已部署在众多被视为潜在敌对环境的设备上。本文聚焦于应用最广泛的闭源DRM解决方案——Widevine。该方案安装在数十亿台设备上，依赖加密操作来保护内容。我们的工作研究了Android平台上Widevine的内部机制，绘制了其不同组件，并揭示了参与内容解密的各种加密密钥。我们提供了Widevine作为协议的结构视图及其完整的密钥阶梯。基于这些见解，我们开发了WideXtractor——一款基于Frida的工具，用于追踪Widevine函数调用并截取消息进行检查。利用该工具，我们以Netflix对Widevine的使用为例进行概念验证分析，并提出了用户追踪方面的隐私担忧。此外，我们运用所掌握的知识绕过了Android Widevine纯软件版本（即L3）的混淆处理，并恢复了其信任根。