How Netflix Downloads Actually Work — Where the Files Live, Why You Can't Copy Them, and What Happens When the License Expires

When you tap the Download button on a Netflix title, you are not downloading a movie file. You are not getting an MP4. You are not getting anything a file manager can see. What actually happens is that Netflix copies a collection of encrypted fragments into an app-private sandbox that no other app on your phone can read, issues a license that lives inside your device's Content Decryption Module in hardware-backed secure storage, and starts a countdown clock that the CDM enforces locally — even when you are completely offline. The "file" on your phone is useless to anyone and anything except the Netflix app running on that specific device.

This post walks through the full offline-download flow step by step. It is a companion to the broader how Netflix-scale DRM works post — that one covers the streaming case in detail. This one zooms in on the download button and answers the questions everyone has but nobody explains properly: what gets saved, where it lives, why you cannot copy it, how the expiration clock actually works, and why uninstalling the Netflix app does not fully reset your download counts.

Everything here is grounded in publicly documented specs — the W3C Encrypted Media Extensions standard, Google's Widevine documentation, Apple's FairPlay Streaming specification, the MPEG-CENC standard, and the MPEG-DASH manifest format. No guessing, no fabrication.

The Full Step-by-Step — What Happens When You Tap Download

Here is what actually happens between the moment your finger lands on the Download button and the moment the app shows "Downloaded."

Step 1 — The app requests a special "offline" manifest

Streaming and downloading are served by two different manifests. When you tap Download, the Netflix app sends a request to the backend with a flag that effectively says "give me the offline version of this title for this device." The backend responds with a DASH manifest (or HLS playlist on Apple devices) that has a few important differences from the streaming one:

• The available bitrates are capped lower than streaming — downloads are typically limited to SD or HD depending on plan and device, because studios are more conservative with offline content
• The ContentProtection elements include a PSSH that signals "this is for persistent (offline) licensing" rather than a streaming session license
• The segment URLs point to a specific set of files sized for sequential download, not adaptive streaming

This is why you sometimes see lower quality on downloads than on streaming — the manifest itself caps your options. It is not a bandwidth optimization; it is a licensing constraint enforced at manifest-generation time.

Step 2 — The CDM generates a persistent license request

The Netflix app passes the PSSH data from the manifest into the browser or platform's Encrypted Media Extensions (EME) API, but it flags the request with sessionType: "persistent-license" instead of the normal "temporary". This tells the Content Decryption Module — Widevine on Android, FairPlay on iOS — that the license it is about to request must be saved for offline use, not discarded after the session ends.

The CDM generates a license request blob containing:

• The Key ID (KID) from the PSSH — which content key is being requested
• A device-bound identity certificate — proof of which specific device is asking
• A persistent-license type flag — request for an offline-capable license
• Device attestation data — proof of the Widevine security level (L1, L2, or L3)

This request is sent to Netflix's license server.

Step 3 — Netflix's license server issues a persistent license

The license server runs the same authorization checks as for streaming (plan limits, geographic rights, device security level) plus some additional checks specific to offline:

• Does the studio contract for this title permit offline download?
• Has this account already reached its download count limit for this title (typically 2 devices)?
• Is this device eligible for a persistent license at all — some regions or plans do not allow it

If everything passes, the license server fetches the content key from its key store, wraps it with the device's public key, and embeds an explicit expiration timestamp directly into the license payload. The expiration has two components:

1. An availability window — how long the license is valid from the moment of issue. Netflix's publicly documented rule is up to 30 days for most content.
2. A playback window — how long you have once you first tap play. Netflix's documented rule is 48 hours from first play for most content.

Both values are written into the license as cryptographically signed timestamps. The CDM will enforce them locally using the device clock, and neither requires any further network contact to work.

Step 4 — The license is stored in CDM secure storage (not app storage)

This is the part most people miss. When the license comes back, Netflix does not store it in its own app data. The license goes into the CDM's secure storage — a separate, hardware-backed region managed by the Widevine or FairPlay implementation on your device. On Android, this storage is typically inside the TEE or a dedicated secure element. On iOS, it lives in the Secure Enclave-backed storage used by FairPlay.

The CDM's secure storage has three properties that matter:

• It survives app uninstalls. If you delete Netflix and reinstall, your persistent licenses are still there — which is why Netflix can detect that you previously downloaded a title even after a fresh install. (App data is wiped, but CDM storage is not.)
• It is tied to the device identity. A factory reset usually invalidates CDM storage because it resets the Widevine/FairPlay device identity, but a simple uninstall does not.
• It cannot be read by the app. The Netflix app cannot read the license directly — it can only ask the CDM to use it. This means the content key is never exposed to Netflix's own code, let alone any other app on the device.

Step 5 — Encrypted segments are downloaded to Netflix's app-private sandbox

With the license safely stored, the app starts pulling the encrypted video and audio segments from Netflix's CDN (Open Connect, the same CDN that serves streaming). These segments are written to Netflix's app-private storage. On Android this is under a path like:

/data/data/com.netflix.mediaclient/...

On iOS it is inside the Netflix app's sandbox container, accessible through paths the iOS kernel isolates from other apps. In both cases, this location has one critical property: no other app on your phone can read it. Not your file manager, not your gallery, not a third-party video player — unless the device is rooted or jailbroken, no process other than Netflix itself can see those files.

The segments are stored in their original encrypted form — AES-128-CTR or AES-128-CBC ciphertext per the CENC standard. They are not reassembled into a single file. A downloaded two-hour movie on your phone is typically hundreds of small segment files scattered across a directory structure that only the Netflix app knows how to walk. There is no single MP4 to "rip."

Step 6 — You tap Play (offline)

When you start playback later, here is what happens even if your phone is in airplane mode:

1. The Netflix app opens the manifest it saved locally and identifies which segments to read first.
2. It asks the CDM to load the persistent license for this content (referencing the KID).
3. The CDM checks the license expiration against the device clock. If the availability window has expired, or if the playback window has started and run out, the CDM refuses the request. You see "License expired" in the app.
4. If the license is still valid, the CDM starts decrypting segments. If this is the first time you are playing, the CDM records the "first play" timestamp into its secure storage — this is what starts the 48-hour playback window clock.
5. Decrypted samples are passed directly to the hardware video decoder inside the TEE (on L1 devices), and the decoded frames go straight to the GPU. The cleartext video never touches normal application memory.

The critical thing to notice: none of this requires a network connection. All the trust checks, all the expiration enforcement, all the key delivery happens locally using data the CDM stored during the download. Netflix does not need to phone home for you to watch an offline download. But the clock is ticking whether you like it or not.

Why You Cannot Copy a Netflix Download

People often ask: if I copy the encrypted files from one rooted phone to another, will they play? The answer is no, and the reason is elegant.

Remember that the persistent license was wrapped with the original device's public key. That means the content key inside the license can only be unwrapped by the corresponding private key — which exists only inside the original device's Widevine or FairPlay implementation, in hardware-backed storage that cannot be exported. Copying the encrypted segments to a second device gives you ciphertext you cannot decrypt, because the second device's CDM has a completely different identity and cannot issue itself a valid license for content keys addressed to someone else.

Even if you also copied the license file (assuming you could extract it from CDM secure storage, which you generally cannot), the second device's CDM would reject it because the license is cryptographically bound to the first device's public identity. There is no way to transplant a persistent license — Widevine and FairPlay are designed specifically to make this impossible.

The only "attack" that works is to rip the content while it is being played back by the legitimate CDM on the legitimate device — and even that is extremely difficult on L1 devices because the decoded frames never leave the secure hardware path. The encrypted blob on your phone is, from a copy-protection standpoint, as useless as a pile of random bytes to anyone who is not you, on that device, with that app, before that license expires.

The Expiration Clock — How It Actually Works

Netflix's documented offline rules are "up to 30 days to start watching, 48 hours from first play to finish." Here is how those two windows are actually enforced:

The 30-day availability window

When the license server issues the persistent license in Step 3, it embeds an absolute expiration timestamp into the license payload — for example, "valid until 2026-05-12T14:23:00Z." This timestamp is signed as part of the license so it cannot be tampered with. The CDM compares it to the device's current clock every time it is asked to use the license. If the device clock has passed the expiration, the CDM refuses. No network required.

This is why changing your phone's date to the past does not extend Netflix downloads on modern devices — most Widevine L1 implementations use a monotonic secure clock managed inside the TEE, which is immune to user-space time manipulation. On L3 devices (software-only), the clock is less secure, which is one of many reasons studios require L1 for higher-value content.

The 48-hour playback window

The playback window is different. It does not start at license issue time — it starts the first time you press play. So the license also carries a second field: "playback window starts when first used." The CDM records the first-play timestamp into its own secure storage at the moment decryption begins, and from then on, enforces "first play + 48 hours" as a second expiration check.

Once either the 30-day availability window or the 48-hour playback window expires (whichever comes first), the CDM stops decrypting. The encrypted segments remain on your phone, but they are now dead weight — no valid license points to them.

Server-Side Revocation — What Happens When Netflix Removes a Title

Titles come and go from Netflix's catalog. What happens to your offline downloads when a movie expires from the catalog mid-download window?

The answer is that Netflix cannot immediately invalidate a license you are already holding. The license is self-contained — once issued, the CDM will honor it until the embedded expiration, even fully offline. So you get to watch your download until the original license window closes.

What Netflix can do is refuse to issue any new licenses for that title. If you try to re-download the same title after it has left the catalog, the license server denies the request. If your existing license expires, you cannot refresh it. The content becomes unplayable on your device, even though the encrypted files are still sitting there. This is the offline-DRM version of "graceful degradation" — existing licenses play out, new licenses are denied.

For some content, Netflix can also issue shorter availability windows at license-grant time. A title that is about to leave the catalog might get a 7-day license instead of 30. You would not notice — you just see a shorter "expires in" counter in the app.

Why Reinstalling Netflix Does Not Fully Reset Your Downloads

People sometimes notice that uninstalling the Netflix app and reinstalling it does not fully reset their download state. Netflix remembers that you already downloaded a title on this device. This is not a server-side check — it works even in airplane mode. What is going on?

The answer is that download metadata lives in two places:

1. Netflix app data — wiped on uninstall
2. CDM secure storage — not wiped on uninstall, because it belongs to Widevine/FairPlay, not to Netflix

When you reinstall Netflix, the app queries the CDM for any persistent licenses that belong to the Netflix domain. It finds the ones you previously obtained, and now it knows which titles you have already downloaded on this device. The encrypted segment files are gone (they were in app data), so you cannot actually play anything — but the download counter against your account reflects reality because the license ledger survived.

A full factory reset does clear this, because it invalidates the device's Widevine identity and all attached CDM storage. That is the only reliable way to reset on-device download state.

Why Rooted Android and Jailbroken iOS Cannot Just Extract the Video

A common misconception is that rooting or jailbreaking lets you bypass DRM and rip downloads. It does not, for a few stacked reasons:

• Widevine detects root and downgrades to L3. The moment a device appears rooted, the Widevine provisioning server will only issue L3 licenses. L3 means Netflix caps you at 480p, and the license server may refuse to issue any persistent license at all.
• The content key never lives in normal memory. Even on L3 with pure software decryption, the Widevine CDM tries hard to keep keys out of reachable memory. On L1 (which root disables anyway), keys never leave the TEE.
• Decrypted frames go directly to the display controller. The decoded video path on modern SoCs is hardware-walled — the GPU reads from a secure buffer that normal CPU processes cannot touch.
• Even capturing the raw display signal is HDCP-protected. Anything going out over HDMI is encrypted by HDCP, and HDMI capture cards that strip HDCP are illegal in many jurisdictions and detected by license servers.

Every practical bypass relies on Widevine L3 weaknesses that Google closes as they are discovered, and even those only work for SD quality. The system is not unbreakable, but it is engineered so that the easier paths are locked and the harder paths are not worth the effort for most attackers.

The DevOps Lesson From All of This

Offline DRM is a beautiful example of self-enforcing authorization. Netflix does not need a live connection to know whether your license is still valid — all the information required to make that decision is already sitting inside your device, signed by a key the user cannot forge, in storage the user cannot read or modify, enforced by code the user cannot replace. The trust anchor is a hardware-backed device identity provisioned at manufacturing time, and every authorization decision descends from that root.

This pattern is not just for media companies. You see it in:

• Short-lived AWS credentials issued through OIDC trust relationships — self-expiring, no need to revoke actively
• Signed JWT tokens with embedded expiration — the server does not need a session store to know a token has expired
• S3 presigned URLs — the URL itself is the authorization, and it expires automatically
• TEE-backed secrets in confidential computing — AWS Nitro Enclaves, Intel SGX, ARM TrustZone, all following the same pattern of hardware-rooted trust

The Netflix download flow is the most polished consumer-visible example of self-enforcing DRM ever built. Once you see the pattern, you notice it everywhere in modern cloud security.

Frequently Asked Questions

Can I copy a Netflix download to another device?

No. The persistent license is bound to the original device's Widevine or FairPlay identity. Even if you copied the encrypted files and the license file, the second device's CDM would reject the license because it is wrapped for a different device's key.

Where are Netflix downloads stored on my phone?

In Netflix's app-private sandbox — /data/data/com.netflix.mediaclient/ on Android, or inside the sandboxed app container on iOS. These locations are invisible to file managers and other apps unless the device is rooted or jailbroken.

Are Netflix downloads stored as MP4 files?

No. They are collections of encrypted MPEG-DASH segments (or CMAF fragments), each individually encrypted with CENC, not a single video file. There is nothing a third-party player could open even with full disk access.

Why do Netflix downloads expire after 30 days?

The license issued by Netflix's license server contains a signed expiration timestamp. The CDM on your device enforces this locally using the device clock. Once the timestamp passes, decryption refuses, and the encrypted files become unplayable.

Why is there also a 48-hour playback window?

Separate from the 30-day availability window, the license has a "first play" clock that starts when you first decrypt the content. This gives studios a tighter control over actual consumption versus just downloading.

Does changing my phone's date extend Netflix downloads?

Not on modern devices. Widevine L1 implementations use a secure monotonic clock inside the TEE that is not affected by user-space time changes. This was a common bypass on older L3 devices but is closed on any device that supports HD streaming.

Why does Netflix still know about my old downloads after I reinstall the app?

Because the persistent licenses live in CDM secure storage, not app data. Uninstalling Netflix deletes the encrypted segment files but not the licenses. A factory reset is the only reliable way to clear them.

Can Netflix revoke a download I am already watching?

Not while you are offline — the license is self-contained and the CDM honors it until expiry. Netflix can refuse to issue new licenses the next time your device comes online, effectively blocking future downloads or re-downloads of the same title.

---

Next Steps

If you want the bigger picture on how this all fits together:

1. How Netflix-Scale DRM Actually Works — the main deep-dive covering streaming, license servers, CENC, Widevine L1/L2/L3, HDCP, and Open Connect
2. GitHub Actions OIDC — No Access Keys — the same self-expiring credential pattern, applied to CI/CD
3. AWS IAM Best Practices — Least Privilege — attested authorization in your own cloud infrastructure
4. Free DevOps resources

If this changed how you think about the Download button, share it with someone who still believes "downloads are just MP4 files with DRM stapled on."