Eduardo Novella

"It's not that I'm so smart;

it's just that I stay with problems longer."

– Albert Einstein

Hacker, chessplayer, security enthusiast, swimmer, dreamer

Specialized in

  • Android Mobile Reverse Engineering (Cloud-based payments, Malware, Video-games and DRM)
  • Android Code Obfuscation (RASP, MBA, anti-tampering, CFG flattening, …)
  • Source code review (C/C++/Java/JavaCard)
  • Mobile Security Analyst/Engineer
  • Embedded Security (Side channel & Fault injection attacks on Smartcards, Pay-TV SoCs, routers, smart-meters, IOT devices,…)

Computer Skills

  • Software: Java, Python, JavaCard, Bash, C/C++/C#, HTML, JS/TypeScript, Visual Basic, Assembler (Intel,MIPS,ARM32/64,AVR,Dalvik), Matlab, Mathematica, VHDL, Yara, LATEX, Markdown

  • Hardware: Side channel & Fault injection attacks, JTAG, UART, SPI, SWD, I2C, TI MSP430Fxx, AVR ATMEGA, ARM Cortex, Bus Pirate, EEPROM reader, logic analyzer, firmware dumping, soldering skills

  • Tools:

    • RE: IDA Pro (idapython), Ghidra, Radare2 (r2pipe API), Frida, Xposed, JEB, Android RE tools, GDB (gef), Binary ninja
    • Network: Burp, mitmproxy, Nmap, sqlmap, aircrack-ng, and Kali toolbox
    • Fuzzing: Defensics (Synopsys), AFL
    • Others: Android Studio, VS Code, AVR Studio, QEMU, Hashcat, Truecrypt, VMware, Wireshark, Kali linux, libnfc, RFIDIOt, OpenOCD, Texmaker, Git, svn, hg, any shell-like tools


2012-2015 The Kerckhoffs Institute. Radboud University Nijmegen, The Netherlands

  • Master’s Degree in Computer Security. 2 year course studying : Cryptography engineering, security, smartcards, verification of security protocols, software security, hardware security, network security, security and privacy in mobile systems, side-channel attacks, machine learning and so on.

2009-2012 Universidad Politécnica de Valencia, Spain

  • Bachelor’s Degree in Computer Engineering. 3 year course in Computer Engineering. Specialization: Systems and network administration.

2003-2005 I.E.S Abastos, Valencia, Spain

  • High level Technical Degree in Development of Computer Applications (DAI). 2 year course about programming and databases.


2015 Best Student Paper at Usenix WOOT (Washington, USA) Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers

2015 CVE-2015-0558 Reverse-engineering the default WPA key generation algorithm for Pirelli routers in Argentina

2015 CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure HomeStation Movistar

2012 CVE-2012-6371 Insecure default WPS pin in some Belkin wireless routers

2012 3rd position Crypto-challenge in my Faculty Breaking easy cryptograms

2010 Well-known vulnerability Reverse-engineering the default WPA key generation algorithm for Telefonica Comtrend routers in Spain


2019-present NowSecure, Chicago, Washington DC and Seattle (USA). Remote

Mobile Security Research Engineer

  • Keywords: Mobile Security, Android/iOS, dynamic and static analysis, Radare2, Frida, NowSecure WorkStation, Research, Engineering, Reverse-engineering, Findings, RASP bypass

2018-2019 (10 mo) Synopsys, London, United Kingdom

Senior Security Consultant

  • Keywords: Android Mobile security (RASP), Dynamic Binary Instrumentation (Frida), Reverse-engineering (IDA Pro & Radare2), Reverse-engineering of Android Fingerprint Trustlets (TEE & TrustZone), ARM assembly (32-64 bits), Source code review (C/C++/Java/Python), IOT hacking & fuzzing (Defensics).

2015-2018 (3 years 2mo) Riscure, Delft, The Netherlands

Security Analyst

  • Keywords: Android reverse engineer for Cloud-based payments apps (HCE) and DRM (Pay-TV), whitebox cryptography, Frida & Unicorn emulator, mPOS, Pay-TV, DRM reverse-engineering, secure boot, fault injection, glitching, source code review, embedded security, obfuscation, TEE, ARM & MIPS exploitation, side channels, smart-meters, modems, javacard & smartcards

Performing security evaluations for various products in the mobile payment and content protection markets. Concretely, evaluating satellite receivers (Pay-TV), Digital Right Management systems and Android mobile payment applications (mainly Host Card Emulation). My regular work consists of performing dynamic binary instrumentation and evaluating the security mechanisms (anti -root,-debugging,-emulation,…) on Android mobile banking apps. One of my goals is to deobfuscate binary code and fight against packers. In addition I assess the robustness of the architecture design and attempt to break the security of obfuscated ciphers implemented in software also known as White-box cryptography. Occasionally I evaluate MicroSoft PlayReady certifications on the Trusted Execution Environment (TEE) area where the main goal is to find memory corruption bugs and exploit them until gaining code execution. Another of my skills is in reviewing the hardware and software security of gas smart meters, modems and any other embedded device which may come into my hands.

2014-2015 (7mo) Fox-IT, Delft, The Netherlands

Intern. Masters Thesis; “Hardware Reverse-engineering”

  • Keywords: Hardware reverse engineering, wirelessHART protocol, SCADA security, wireless sensor networks, industrial systems, JTAG, SPI sniffing, firmware dumping, OpenOCD, flashtool, Bus pirate

Internship investigating wireless SCADA devices to extract the cryptographic keys by applying hardware attacks.

2006-2011 WiFiSlaX, SeguridadWireless, Spain


Description: Our main goal was to create a kind of BackTrack distribution mainly focused on wireless hacking technology. During those years, I was reverse engineering some routers of important ISP’s and sniffing around with devices on 2.4Ghz. Also, I installed tools and tailored Linux distributions just for fun


2005 Nutelco S.L., Valencia, Spain

Visual Basic Developer


Interests and Hobbies

I love all sports but I mostly prefer swimming and chess. Enjoy reading technical about programming, reverse engineering, exploiting, vulnerabilities and so on. Play hacking contests whenever I have some spare time. Know how to repair computers. Besides computers, I also love nature a lot.

Contact me at:

foro.dudu [At] gmail [Dot] com