Widevine Client Configuration
This configuration applies to native client applications that include custom code and data to support its MSL configuration as well as access to a Widevine client library capable of key exchange. Examples include Android.
The MSL stack is assumed to be preinstalled or installed as an application and to contain data that can be used to authenticate remote entities. It may be possible for the MSL stack to be modified by the client user or an unauthorized third party via an exploit.
The unauthenticated entity authentication scheme will be used but the entity identity will be derived from the Widevine client library’s model and device identifiers.
All user authentication schemes will be supported. The exact scheme used will depend upon the desired Netflix subscriber sign-up and sign-in user experience.
The Widevine key exchange scheme will be used. Since the Widevine key request contains the client library’s model and device identifiers, the client entity identity specified in the entity authentication data can be verified. Mismatched identities will be rejected.
The entity identity verification must occur when a message is received to prevent delivery of application data with a spoofed entity identity.