k0de
  less

████████╗██╗  ██╗███████╗    ██████╗  ██████╗  ██████╗ ███╗   ███╗
╚══██╔══╝██║  ██║██╔════╝    ██╔══██╗██╔═══██╗██╔═══██╗████╗ ████║
   ██║   ███████║█████╗      ██║  ██║██║   ██║██║   ██║██╔████╔██║
   ██║   ██╔══██║██╔══╝      ██║  ██║██║   ██║██║   ██║██║╚██╔╝██║
   ██║   ██║  ██║███████╗    ██████╔╝╚██████╔╝╚██████╔╝██║ ╚═╝ ██║
   ╚═╝   ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝  ╚═════╝ ╚═╝     ╚═╝
    

BIO

About me!

I'm Eduardo Blázquez but people know me by Fare9 in security conferences and groups. I'm research assistant and Phd student at UC3M's Computer Security Lab (COSEC), my research is mainly focused on the Android ecosystem security and privacy. Before joining COSEC lab I worked for ReversingLab as junior reverse engineer and before in Panda Security as malware analyst. I got my computer engineering degree at Universidad de Alcalá de Henares (UAH), and later a Master's degree in Cybersecurity at Universidad Carlos III de Madrid (UC3M). I'm interested on low level and internals of systems and software, operating systems, programming languages, reverse engineering, malware analysis, exploiting and so on. I like coding in C, C++, python and assembly language (intel x86 for 32 and 64 bits, but I plan to learn ARM).

Hobbies

When I’m not in front of my laptop I like to play videogames, read manga or watch anime.

I like martial arts, I hold a 1st Dan Black Belt in Jinsoku Ryu Ninjutsu with David Arranz, I also practice kick/thai boxing and Krav Maga with Eduardo Álvarez.

As you can see I really like Japanese culture, so commonly I’m listening music from this country at the laboratory (I leave a list at the bottom of this page), I cook sometimes japanese food at home, and currently I’m learning their language.

Music

As I said in hobbies here you can find a list of songs I like to listen while working:

人間椅子 (Ningen Isu) - 怪人二十面相 (Kaijin Nijū Mensō)

人間椅子「見知らぬ世界」(”Mishiranusekai” - NINGEN ISU)

ウルフルズ “サンシャインじゃない? (Ulfuls - Sunshine janai?)

ウルフルズ - ガッツだぜ!! (Ulfuls - Gattsu daze!!)

BLACKPINK - ‘마지막처럼 (AS IF IT’S YOUR LAST)’

MOMOLAND「BAAM -Japanese ver.-」

MOMOLAND「BBoom BBoom -Japanese ver.-」

BLACKPINK - ‘STAY’

Projects

You can find more of the projects I’m working and I’ve worked in the past on my Github.

Currently I work in a tool for Static Analysis of Android DEX files called Kunai.

Previously I worked on a PIN Based dynamic unpacker ANBU.

I’ve also being interested on the internals of Windows operationg system, you can find my code in next repository.

Publications

Here I’ll leave my publications in conferences as well as different important articles I could write:

Trouble Over-The-Air: An analysis of FOTA Apps in the Android Ecosystem

Eduardo Blázquez, Sergio Pastrana, Álvaro FEAL, Julien GAMBA, Platon Kotzias, Narseo VALLINA-RODRÍGUEZ, Juan Tapiador

42nd IEEE Symposium on Security and Privacy. March 2021

Introduction 1 minute video: Trouble Over-The-Air: An Analysis of FOTA Apps in the Android Ecosystem

Talk: Trouble Over-The-Air: An Analysis of FOTA Apps in the Android Ecosystem (you can activate subs in English)

Abstract

Android firmware updates are typically managed by the so-called FOTA (Firmware Over-the-Air) apps. Such apps are highly privileged and play a critical role in maintaining devices secured and updated. The Android operating system offers standard mechanisms—available to Original Equipment Manufacturers (OEMs)—to implement their own FOTA apps but such vendor-specific implementations could be a source of security and privacy issues due to poor software engineering practices. This paper performs the first large-scale and systematic analysis of the FOTA ecosystem through a dataset of 2,013 FOTA apps detected with a tool designed for this purpose over 422,121 pre-installed apps. We classify the different stakeholders developing and deploying FOTA apps on the Android update ecosystem, showing that 43% of FOTA apps are developed by third parties. We report that some devices can have as many as 5 apps implementing FOTA capabilities. By means of static analysis of the code of FOTA apps, we show that some apps present behaviors that can be considered privacy intrusive, such as the collection of sensitive user data (e.g., geolocation linked to unique hardware identifiers), and a significant presence of third-party trackers. We also discover implementation issues leading to critical vulnerabilities, such as the use of public AOSP test keys both for signing FOTA apps and for update verification, thus allowing any update signed with the same key to be installed. Finally, we study telemetry data collected from real devices by a commercial security tool. We demonstrate that FOTA apps are responsible for the installation of non-system apps (e.g., entertainment apps and games), including malware and Potentially Unwanted Programs (PUP). Our findings suggest that FOTA development practices are misaligned with Google’s recommendations.

@inproceedings{blazquez2021fota,
  author    = {E. Bl\'azquez and S. Pastrana and \'A. Feal and J. Gamba and P. Kotzias and N. Vallina-Rodriguez and J. Tapiador},
  booktitle = {2021 2021 IEEE Symposium on Security and Privacy (SP)},
  title     = {Trouble Over-the-Air: An Analysis of FOTA Apps in the Android Ecosystem},
  year      = {2021},
  volume    = {},
  issn      = {2375-1207},
  pages     = {1641-1657},
  keywords  = {privacy;security;android;supply-chain;updates},
  doi       = {10.1109/SP40001.2021.00095},
  url       = {https://doi.ieeecomputersociety.org/10.1109/SP40001.2021.00095},
  publisher = {IEEE Computer Society},
  address   = {Los Alamitos, CA, USA},
  month     = {may}
}