Currently protected HLS only garuntee (flexible feature) that only valid ios devices can play the stream. But yes, that doesn't solve your problem. You may like to add some sort of authentication in key delivery part. For example, you may write ios-application to re-write key delivery URL and add some query token to it in NSURLProtocol class. And on apache side, you may check validity of URL sender before request is picked up by the hls module.
This is just a direction.. Though we are looking for some inherent solutions in this direction..
Though it is easily discoverable the hackers but still a direction:
Now, inside apache conf, you may change the location directive hls-key to my-app-hls-key.. In this way any key request that comes as former URL will be reected by the module, while later will be passed.
Since later key requests will only from your client app (which re-write key url inside app using ios NSURLProtocol class) they will succeed as apache confs are configured to accept them while former once are failed.
However this can be traced and replicated by others too..
If you want more secure way then, you may like to send some cookies with the key url as query parameter (again you will have to write your custome app to do that).. On apache side you may write your own module which first authenticate the cookie then redirect the "query parameter stripped key url" to the mod_hlshttp.so..
Why am I only talking about authenticating the key URL not the m3u8 or ts because key url is on https which should always hit the origin.. m3u8 or ts are normal http and can be served from the cache..
Do you have an example of writing an Apache module that does authentication and passes the stripped URL to mod_hlshttp? This is exactly what I need to do (after beating my head against AMS server-side ActionScript and finally realizing that HLS is handles through Apache...)
I'm sure I could dig on the web, but if you have an example it could probably save me a lot of time/effort/headache...
Thanks in advance.