Aloha browser on iOS bypasses Cloudflare Stream signed URL protection

We found a Cloudflare Stream signed URLs bug.

We created a testing website: 9188.space using Cloudflare Stream Signed URL and opened a challenge for any technical people to download the video.

One user actually reported to perfectly being able to download the video, bypassing Cloudflare signed URL functionality.

He simply used Aloha Browser with iOS.

Strangely enough, with Aloha browser on Android instead, the protection works well.

See full bug report and further documentation with details on our blog here:
https://greenwebsolutions.ch/aloha-browser-on-ios-can-bypass-cloudflare-stream-signed-url-protection/

Can you confirm that you are generating a signed URL and not confusing that feature with the allowed domains feature?

Please note that while allowed domains feature lets you restrict access based on the referrer domain and the signed URL feature lets you restrict access based on time, geographic locations etc., the client (for example Aloha Browser) may still allow the user to download the video on the client-side.

■■■■ zaid and thanks for your answer.
We are using both allowlisting and signed URLs for those videos.
From my understanding and also from reading here:

if you use both those features you can really harden the download of the video.

Which with Aloha browser ON ANDROID works perfectly (and also on PC via download helper or Jdownloader)… it’s nearly impossible for those downloader to intercept the flux and download an mp4.

But for aloha browser on iOS this is possible, which sounds very strange to me as it’s the only case where the video can be SO EASILY downloadable as right clicking and “download now”.

As one of the purpose (even if marginal) of both features offered by CF is actually to prevent download… is there something you can do to also address this iOS-aloha case/situation?

Thanks
Enjoy the rest of your day

Hello, any chance to have an answer on my reply above?
Thanks a lot!
Kind regards