Introduction
The Amino Media Player is highly flexible and can be configured to work in various setups and network environments. While security is crucial during deployment, users can configure the player's parameters to adapt to their specific network environment. This helps minimize the risk of potential cyber-attacks. This article aims to present the options that users should consider and recommend a secure deployment configuration for different network scenarios.
Summary
The configuration of the Amino Media Player is controlled by device parameters, which are boot parameters that determine the activation or deactivation of various features. These device parameters are categorized into different types. Below are the device parameters that specifically affect security.
Service /Setting | Device Parameter |
Third-party App Installation Service | system.allow_install_unknown_sources |
IR remote control Service | system.ir_control.enable |
Setting Menu | key.link.menu |
Browser Web Inspector | browser.inspector.enable |
Browser Web Security Policy | browser.security.mixed_content |
Browser On Screen Keyboard | browser.webapp.on_screen_keyboard_disabled |
Browser SSL Certification Trust Store | browser.trust_store |
EELM Service | eelm.enable |
EELM SSL Certification Trust Store | eelm.trust_store |
EELM Zapper Editor | eelm.zapper_editor.enable |
Debug Service Via ADB console | adb.mode |
Debug Service with Developer option | debugging.developer_options.enable |
HDMI CEC Service | hdmi.cec.control |
HDMI HDCP Service | system.hdcp.enable |
Factory Reset Pin Setting | hardware.disable_reset_pin |
System Service
system.allow_install_unknown_sources: A controller to allow installing applications from an unknown source.
system.ir_control.enable: An option to control the ON/OFF of the infrared (IR) remote control.
key.link.menu: An option to configure the key to access the settings menu.
Browser Service
browser.inspector.enable: An option to Enable/Disable the web inspector of Amino Browser.
browser.security.mixed_content: A controller to allow the browser to access insecure origin.
browser.webapp.on_screen_keyboard_disabled: Controlling the ON/OFF of the on-screen keyboard.
browser.trust_store: The location to host additional CA certification for browser page SSL authentication
EELM Service
eelm.enable: Specifying the security level for Enable Enterprise Local Management Server ( EELM )
This parameter has 4 options :
0: Disable (Default). Only allow connection from localhost 1: Allow both HTTP and HTTPS connection without client authentication. 2: Allow HTTPS connection without client authentication. 3: Allow HTTPS connection with client authentication. |
eelm.trust_store |
eelm.trust_store must also be configured if eelm.enable=3, enabling client authentication. This allows you to specify the certificate that the STB will use in the authentication process. Details of how to generate the certificate and to set the eelm.trust_store options are given below.
eelm.zapper_editor.enable: Zapper Lineup editor accessibility
Debug Service
adb.mode: Control the ON/OFF of the Android debug bridge ( ADB )
debugging.developer_options.enable: Control the ON/OFF of developer options.
Display Setting
hdmi.cec.control: Control the ON/OFF of the cec function
system.hdcp.enable: Control the HDCP protection on HDMI
Hardware Setting
hardware.disable_reset_pin; An option to Enable/Disable the hardware reset pin
High Security - Production Environment
For high-security settings used in the deployment environment. It is recommended to expose minimum access of service to the network. For services that require access via a network, it has to be communicated on a secure channel. Access via peripherals should be restrictive to minimize user interaction.
Service / Setting Recommendation:
Service /Setting | Recommendation |
Third-party App Installation | Disallow installing applications from an unknown source |
IR remote control | Disable the IR Remote control |
Setting Menu | Disable the access to system menu |
Browser Web Inspector | Disable the access to browser web inspector |
Browser Web Security Policy | Disallow cross-origin web content access |
Browser On-Screen Keyboard | Disable on-screen keyboard access |
Browser SSL Certification Trust Store | Only configure if required |
EELM Service | HTTPS connection with client authentication |
EELM SSL Certification Trust Store | Configure the pub key of a trusted SSL Cert for EELM |
EELM Zapper Editor | Disable access ( optional - depends on use case) |
Debug Service Via ADB console | Disable ADB console access |
Debug Service with Developer option | Disable developer options |
HDMI CEC Service | Disable HDMI-CEC Service (optional-depends on use case) |
HDMI HDCP Service | Enable HDMI-HDCP Service (optional-depends on use case) |
Factory Reset Pin Setting | Disable the factory reset pin |
Below are the recommended device parameters:
system.allow_install_unknown_sources=false
system.ir_control.enable=false
key.link.menu=""
browser.inspector.enable=false
browser.security.mixed_content=never
browser.webapp.on_screen_keyboard_disabled=true
browser.trust_store=<pub_SSL> ##Copy content of the public SSL Certification to single line
eelm.enable=3
eelm.trust_store=<pub_SSL> ##Copy content of the public SSL Certification to single line
eelm.zapper_editor.enable=0
adb.mode=0
debugging.developer_options.enable=0
hdmi.cec.control=off
hardware.disable_reset_pin=1
Basic Security - Testing Environment
For basic Security setting used in test Environment. It is recommended to expose only necessary services with network access. For services that require access via network. it is recommended to communicate on a secure channel. Access via peripherals should be less restrictive to provide more user interaction. Below is the recommended setting.
Service / Setting Recommendation:
Service /Setting | Recommendation |
Third-party App Installation | Allow install application from unknown source |
IR remote control | Enable the IR Remote control |
Setting Menu | Enable the access to system menu |
Browser Web Inspector | Enable the access to browser web inspector |
Browser Web Security Policy | Disallow cross-origin web content access ( optional ) |
Browser On-Screen Keyboard | Enable on-screen keyboard access |
Browser SSL Certification Trust Store | Only configure if required |
EELM Service | Allow both protocols with less authentication |
EELM SSL Certification Trust Store | Not required |
EELM Zapper Editor | Enable access |
Debug Service Via ADB console | Enable ADB console access |
Debug Service with Developer option | Enable developer options |
HDMI CEC Service | Enable HDMI-CEC Service (optional-depends on use case) |
HDMI HDCP Service | Enable HDMI-HDCP Service (optional-depends on use case) |
Factory Reset Pin Setting | Enable the factory reset pin |
Below are the recommended device parameters:
system.allow_install_unknown_sources=false
system.ir_control.enable=true
browser.inspector.enable=true
browser.security.mixed_content=never
browser.webapp.on_screen_keyboard_disabled=false
eelm.enable=1
eelm.zapper_editor.enable=1
adb.mode=1
debugging.developer_options.enable=1
hdmi.cec.control=on
hardware.disable_reset_pin=0
Low Security - Developer Environment
For low-Security settings used in the developer Environment. It is not necessary to limit service accessible via the network. For services that require access via network. it is more flexible to allow communication with a non-secure channel. Access via peripherals should not be restricted. Below is the recommended setting.
Service / Setting Recommendation:
Service /Setting | Recommendation |
Third-party App Installation | Allow install application from unknown source |
IR remote control | Enable the IR Remote control |
Setting Menu | Enable the access to system menu |
Browser Web Inspector | Enable the access to browser web inspector |
Browser Web Security Policy | Enable cross-origin web content access |
Browser On-Screen Keyboard | Enable on-screen keyboard access |
Browser SSL Certification Trust Store | Only configure if required |
EELM Service | Allow both protocols with less authentication |
EELM SSL Certification Trust Store | Not required |
EELM Zapper Editor | Enable access |
Debug Service Via ADB console | Enable ADB console access |
Debug Service with Developer option | Enable developer options |
HDMI CEC Service | Enable HDMI-CEC Service (optional-depends on use case) |
HDMI HDCP Service | Disable HDMI-HDCP Service (optional-depends on use case) |
Factory Reset Pin Setting | Disable the factory reset pin |
Below are the recommended device parameters:
system.allow_install_unknown_sources=true
system.ir_control.enable=true
browser.inspector.enable=true
browser.security.mixed_content=always
browser.webapp.on_screen_keyboard_disabled=false
eelm.enable=1
eelm.zapper_editor.enable=1
adb.mode=1
debugging.developer_options.enable=1
hdmi.cec.control=on
system.hdcp.enable=off
hardware.disable_reset_pin=0
References
None