Security Best Practices

Last updated 2022/06/14 08:17:17

Security and compliance are essential for real-time engagements through technology. In order to provide safe and reliable cloud services, Agora adheres to the compliance requirements of different countries, regions, and industries, in addition to being certified to ISO/IEC 27001. For more information, see ISO Certificates.

Agora products and services are designed and built with multiple protection measures against attacks commonly seen in the real-time engagement industry. This article describes some of the security best practices that Agora has adopted, as well as security tools it provides for developers, as follows:

Protection measures	Applied by default	Recommended scenarios
Channel seperation	Yes	All real-time scenarios.
Token authentication	No	All real-time apps in a production environment should use token-based end-user authentication.
Encryption	No	Real-time scenarios that require confidentiality.
Network geofencing	No	Real-time scenarios where customers wish to restrict access to Agora servers to within a specified region.

Level 1 - Channels separation

The channels architect is the first built-in layer of protection. Agora creates an independent and isolated channel for each audio, video, or messaging data transmission. All channels are logically separated and only authenticated users from the same App ID can join the same channel.

Level 2 - Token authentication

The second layer of protection is on the authentication layer. This is done via using the dynamic token authentication. The token is a short-lived access key, which is generated by the app backend and allows users to access the Agora platform after the user is properly validated by the app.

A token is generated with important information such as App ID, user ID (uid), channel name, and expiration date.

The app developer can enable token authentication (App Certificate) on Console. When enabled, all user’s request to join a channel must be done with a valid token.

For more imformation on how to enable token authentication, refer to Use a token for authentication.
For a token generator sample code, refer to the AgoraDynamicKey repository.

Please note for best security practices, you need to set the token expiration time (24 hours by default). A token has three expiration timestamps:

Token expiration: How long a token is valid for, that is, how long a user can stay in a channel.
Privilege expiration:
- Join a channel: How long a token can be used to join a channel.
- Streaming privilege: Whether a user can send audio, video or messaging to the channel, or join as an audience member. This privilege is not enabled by default. For details, refer to FAQ: How do I use co-host authentication.

Level 3 - Encryption

The next layer of security in the Agora platform is encrytion. Agora supports transmission encryption and data encryption.

To guarantee data confidentiality during transmission, Agora uses the AUT (Agora Universal Transport) encryption protocol, Agora's proprietary secured transport layer.

Data encryption encrypts all the audio and video streams with a symmetric key and encryption controlled by the app developer. In this level the app provides a symmetric encryption key to the local SDK libraries.

The SDK encrypts all the captured media using the key and the configured encryptions using AES 128/256 (based on configuration). The data is sent encrypted to Agora SD-RTN^TM and from there to the other endpoints in the channel. The receiving endpoint will use the key provided by the app layer to decrypt the media streams and send to the renders. With this method, only the application knows the keys. In the Native SDK (iOS, Android, Mac, Windows) the keys are not sent to Agora servers.

When using Other Agora services like Web SDK, Cloud Recording, Content Moderation, Transcoding etc, encryption is done a bit differently and it is not end-to-end. In this case media is still encrypted but the Agora service needs to be aware of the key to be able to connect to the channel and provide service. For example, in Web SDK the User/Browser protection is done via the web-server protection (HTTPS) as well as the WebRTC standard, security practice (encryption, key management etc). More information on WebRTC security can be found here https://webrtc-security.github.io/.

The media encryption on Web SDK is done via WebRTC standard but the interoperability to Agora is done using Agora’s encryption engine and the encryption key is passed securely to the Web SDK servers via the APIs. The key is required as the Agora edge server will convert from WebRTC protocols to Agora’s protocol and allow interoperability with Native SDK. Similar situation happens with Cloud Recording, Content Moderation etc., where the Restful APIs are used to securely pass the key for the channel.

Refer to the following guides for descriptions of how to enable encryption:

Level 4 - Network geofencing

To meet the laws and regulations of different countries or regions, the Agora RTC SDK supports geofencing. After enabling geofencing, the SDK only connects to Agora servers within the specified region, regardless of where your app users are located.

For example, if you specify North America as the region for connection, when two users attempt to connect to Agora servers from different locations, the result is as follows:

Specified region for connection	App user location	Actual region for connection	User experience after connection ¹
North America	North America	North America	Normal
North America	China	North America	Can be less than optimal ²

¹ If there is no available server in the specified region, the SDK throws an error.
² When the user's location is different from the specified region, the public network spanning between the user's location and the specified region might have a poor quality, which can make the audio and video experience less than optimal.

Do not enable geofencing if your scenarios do not have regional restrictions.

Refer to the following guides for descriptions of how to use network geofencing:

The RTC SDK
- Android
- iOS
- macOS
- Windows
- Web
The RTM SDK
- Android
- iOS
- macOS
- Windows
- Web
- Linux C++
- Linux Java

Security best practice checklist

Use this list to quickly check what measures you have or have not taken to best protect the security of you app and users:

Enable token authentication on Agora Console.
Disable No certificate in your project management page. Once it is done your app authenticates users with tokens only.
Deploy a token server in your backend services.
Protect the token server and only allow the app backend server to connect to the token server.
Set the token expiration date to a reasonable time. See the description of the privilegeExpiredTs parameter in API Reference.
If needed, contact support@agora.io to enable token privilege and set token per role.
For additional security if needed work with the Agora SA team to customize the token server and modify the token join privilege to a low time, like 5 min. This is more advance and recommended after app development is completed.
Channel encryption key management – generate a random key (secret) per channel at the time of creating the channel, do not reuse encryption keys.
Pass the channel encryption key (secret) securely outside of Agora engine to authenticated endpoints that are allowed to join the channel.
For additional security, you can also do the following:
- Set the “Agora channel name” to a one-time random string managed by your app.
- Set the Agora uid to a one-time numeric id that is mapped to the user on the app level. Do not use the users' real ID on your app as the Agora uid.

Is this page helpful?

Yes