Content flow

1. Beat is notified of content arriving through an ONIX feed containing metadata.
2. Beat retrieves and stores the source files in a private S3 bucket.
3. Audiobooks are transcoded into the formats required for playback on devices.
4. Authorized clients (apps) can request content files through our core API. It can generate a signed URL to the content files that is only valid for a short period of time or number of downloads. The API grants access to content based on business rules, such as:
   1. User authentication
   2. User purchase status
   3. User streaming rights
5. The client downloads the file through a HTTPS connection and immediately encrypts it on local storage.

Transport security

During transport between Beat's S3 bucket, content is protected using TLS (also known as HTTPS) with up-to-date cipher suites.

Security on user devices

Streaming

Streaming media (audiobooks) is not stored on the device's permanent storage, only in memory during streaming. This relies on the operating system implementation, and the file is likely to be in memory while the audiobook is streaming.

Downloads

User devices store the content files according to a similar principle, but with slightly different approaches depending on the platform.

iOS

• The file is downloaded to disk through app-internal storage. Once downloaded, the file is immediately encrypted, and the unencrypted file is removed.
• The file is decrypted to memory when playback starts.
• The encryption algorithm is RC4. The key is generated from the track ID and a salt; derivation function: PBKDF2 with SHA1, 10000 iterations, key size is variable, up to 512 bytes
• The time the file is stored unencrypted in application storage is very short, usually is under a second (depending on the file size).

Android

• Data is encrypted on the fly right after receiving downloaded chunks from the remote data source.