DRM for Beacons

There has been a lot of noise around beacons for the last couple of years but they still do not seem to be nearing a mass scale market adoption. There are two reasons for that.

One is the technology fragmentation. We have the two competing standards: the Apple iBeacon and Google Eddystone. But that would not pose too much of a challenge, as it is relatively easy to build beacons that interleave both message formats.

Second is the DRM problem. Which is much more difficult to solve. Say United installs a network of beacons that guides United passengers to the gates using the United App. As passengers are guided to gates, the competitor's App picks the same Beacon signals and offers cheaper flights next time. This is certainly not what United would like to see. Which makes them scratching their heads whether they should be installing beacons in the first place.

The second problem really comes down to the issue of how do we allow the legitimate app to receive beacon signals while preventing other apps from doing the same. Some try to solve this by encrypting beacon messages and having the app forward encrypted messages to a cloud service before giving back the decrypted data back to the app. But then again, how does a cloud service make sure which app it is giving the data back to? Can the cloud service distinguish the United app from a competitor's app?

It is the app authentication problem. The web service should answer a call from one app while drop the same call from another app. So the app should have a unique secret (preferably a private key) to sign the request. The cloud service would then verify the signature and make a decision to take the call or drop it.

The problem is we lack a good support for app authentication / application key storage on mobile platforms. While an app can have some private data storage, it is not secure. Whatever is stored there can be retrieved by other apps with not too much effort.

The lack of strong support for application authentication is surprising. Especially considered the mobile OS platforms are fairly mature. It looks like it limits a wide adoption of many types of content distribution platforms, not just beacons. Building content businesses that rely on weak technology foundations is risky. You succeed only when you are small. But when you grow big enough, you will be hacked. Unless the technology really protects you.