Suggestions

close search

Securing your OpenTok app

Follow these best practices for maintaining security in your app.

TokBox recognizes that security is an essential consideration for any business interested in integrating real time communications into its website, app or service. The OpenTok platform is a reliable and secure platform on which you can build applications that meet your company, industry or client security needs.

This page includes the following sections:

Security FAQs

Is voice and video traffic encrypted in an OpenTok on WebRTC session?

Yes, all media traffic is encrypted no matter the endpoint you use (web or mobile) or the session setup you choose (P2P or multiparty). That means that you are safe when using OpenTok solution even if use it in an open public hotspot.

Note that in an upcoming release of Google Chrome, publishing will only be supported on HTTPS pages. See this announcement.

Is it based on a proprietary solution?

No, we don’t believe in proprietary solutions when we talk about security. OpenTok is fully based on proven standards, written by industry experts, and used for years in commercial products. The core protocols providing WebRTC OpenTok security are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, which are defined by the IETF.

What are the encryption algorithms and strength of the keys being used?

OpenTok WebRTC-compatible endpoints use the AES cipher with 128-bit keys to encrypt audio and video, and HMAC-SHA1 to verify data integrity.

What keys are being used for the encryption?

The endpoints generate random keys at the beginning of the session and in addition they change periodically during the conversation to make it even safer.

Does it require any interaction with the user?

No, everything happens under the hood without any interaction with the user.

Does it require any change in my OpenTok-based applications?

No, the OpenTok API doesn’t change. The OpenTok API does not expose these low-level details to developers.

Does it have an impact on bandwidth and quality of the videoconference?

It has, but very low. It increases the length of each audio and video packet by 8 bytes, but that is less than 1% of the typical bitrate of a OpenTok session. Regarding the delay, the SRTP encryption framework was designed specifically for real-time applications, and the impact is not noticeable at all.

Does it have an impact on CPU or battery consumption?

Yes, but the cost of encoding and decoding audio and video is significantly higher than the cost of encrypting and decrypting.

Security best practices

Whether you're new to the OpenTok platform, or have years of experience, here is a useful set of best practices you can employ when developing with OpenTok to help you build a secure application.

Serve content using HTTPS URLs

In an upcoming release of Google Chrome, publishing will only be supported on HTTPS pages. See this announcement.

Personal Information

Keep the API key and secret private and secure

The API key and secret are used to create tokens that grant access to sessions, retrieve archive metadata and change archive storage credentials, as well as other administrative operations on your account.

To avoid compromising your credentials, you should always keep your API secret private. Some key measures you can take:

Generate a unique session ID per call and token per participant

You need to generate a session ID to initiate a call. The tokens that enable the participants to join are unique to a session ID. The tokens have an expiry but it may be longer than the duration of your call. Therefore, if you have consecutive meetings using the same session ID, earlier users may still be able to connect to the new meeting.

To avoid this:

See this topic on how to create sessions. See this topic on how to generate tokens.

Ensure server generating token is behind authenticated endpoint

It is important to place the server generating the token behind an authenticated endpoint because anyone with access to that server could end up generating new tokens and could abuse the app to generate usage.

Don't use personal information in token data.

The token data is a string containing metadata describing the connection. However, this data is passed to all users in the session and is also readable through the OpenTok client logs. This means you should never use unencrypted sensitive or personal information in the token data. See this topic on how to add data to your tokens.

Relayed vs Routed Mode

End to End Media Encryption

During a routed session, media streams are temporarily decrypted while within the OpenTok Platform cloud servers and then immediately re-encrypted prior to being sent through the internet to the subscribing client. This decryption is necessary for managing group sessions, intelligent quality control, and archiving of sessions (if used). Using routed sessions, your media streams are never transmitted unencrypted on the open internet.

However, if your application requires uninterrupted end-to-end encryption of all media, you may choose to use relayed sessions. Be aware that you would not be able to use archiving, and performance will not be managed as well in low bandwidth / high packet loss networks or with groups.

Archiving

TokBox provides a number of ways to ensure the security of your archived OpenTok sessions.

Different levels of archive security

You can secure your archives in the following ways:

Manage archive deletion

An archive successfully uploaded to your storage will be automatically deleted from the OpenTok archiving server at the time of upload.

In case of failure to upload, OpenTok storage is provided as a default fallback option. This means the archive will be stored for 72 hours on the OpenTok server.

You will be alerted via email for every archive that fails to reach your storage. You can then use the REST API to download the archive from the archive URL.

Following the download, you can choose to immediately delete the archive to avoid it being on the OpenTok storage for the remainder of the fallback period.

To prevent this fallback storage, log in to your TokBox Account, select the project, and set the option to disable archive storage fallback.

See this topic for more information on how to delete an archive.

Control who is able to begin archiving

You can only archive a session using the REST API. To control who can initiate the archive, you can programmatically decide which view of the application includes the option to start archiving. Those unauthorized would have a limited view with no option to archive.

In addition to authenticating your own users, you should also consider a strategy for authorization. Once you know who a user is (authentication), and that they are in fact allowed to start an archive (authorization), you've reduced the risk of any unintended user from causing archives to be recorded.

Ensure minimum set of privileges

The minimum set of permissions required to upload archives to our storage is discussed in this topic.

Partners should not provide any additional permissions for the credentials that they store with OpenTok.

Alerts and Controls

Limit maximum number of users in a session

In order to have more control over the number of people in a session, your application should limit the maximum number of users in a session. This could be useful if you're trying to limit your usage.

Display subscriber count

You may also wish to set up a subscriber count to display in your application. This is a useful way of knowing when a connection is subscribing but not publishing.

Set up Moderator permissions to force disconnect

OpenTok platform provides the capability to remove a user from a session. For example, in case of violation of terms of services, you can enable the moderator in the session to remove the violating participant from the session via force disconnect or force unpublish. See this topic for more information.

Allocate Subscriber-only permissions for those that do not need to publish

In some use cases you may want to limit the number of people who can publish in a session. This is easily implemented by not extending publish permissions to every participant.

See this topic for generating tokens with the right roles.