Senior/Staff Mobile Security Engineer

About The Position

Requirements

• 8+ years of hands-on experience in mobile security engineering, with deep expertise in at least one of Android or iOS (strong in both is ideal).
• Proven experience designing and operating mobile device attestation systems you understand Android Hardware Key Attestation (KeyMint, TEE, StrongBox, attestation certificate chains, Google root CA verification), Google Play Integrity API (Classic and Standard modes), and/or Apple App Attest (DeviceCheck, attestation/assertion flows, Secure Enclave) at a systems level, not just as an API consumer.
• Strong background in mobile application hardening: you have implemented or evaluated anti-tampering, anti-hooking, root/jailbreak detection, debugger detection, certificate pinning, and runtime integrity protection in production apps.
• Experience with mobile reverse engineering and offensive security: you can decompile APKs (jadx, apktool), analyze iOS binaries, use Frida/Objection for dynamic analysis, and think like an attacker to validate your defenses.
• Proficiency in Kotlin/Java (Android) and/or Swift (iOS) for security-focused code review and building security libraries.
• Experience securing on-device cryptographic operations: key generation, secure storage (Android KeyStore, iOS Keychain), and protocols that depend on hardware-backed keys.
• Strong understanding of mobile-specific attack vectors: overlay attacks, accessibility service abuse, screen recording, deepfake injection into camera pipelines, biometric bypass, and app cloning.

Nice To Haves

• Experience building or operating server-side attestation verification services (decrypting Play Integrity JWE/JWS tokens, validating X.509 attestation certificate chains, managing Apple App Attest key lifecycle in a backend).
• Experience with RASP vendor evaluation and integration (Zimperium, Guardsquare/DexGuard, Promon, Appdome).
• Background in payment security or PCI-compliant mobile applications (SoftPOS, Tap-to-Pay, EMV).
• Familiarity with privacy-preserving systems: zero-knowledge proofs, on-device biometric processing, or differential privacy.
• Experience scaling a Secure SDLC or security champions program for mobile engineering teams.
• Contributions to mobile security research, conference talks, or open-source security tooling.
• Rust, Go, or Python experience for backend security tooling and infrastructure.

Responsibilities

• Design, build, and operate mobile device attestation and integrity verification systems across Android and iOS including hardware-backed key attestation (Android KeyStore TEE/StrongBox, Apple App Attest/Secure Enclave), ensuring requests originate from genuine, untampered devices running unmodified app code.
• Engineer anti-tampering, anti-hooking, and runtime integrity protections for the World App, making the app resilient against reverse engineering, instrumentation frameworks (Frida, Xposed), and repackaging attacks.
• Own the mobile hardening strategy end-to-end: certificate pinning, secure storage, obfuscation, jailbreak/root detection, debugger detection, and screen capture protection deciding which protections to build in-house and which to source from vendors.
• Design cryptographic protocols for on-device biometric authentication (Face Auth, selfie verification) that are resistant to replay, relay, and deepfake injection attacks, ensuring the biometric pipeline cannot be manipulated even on a compromised device.
• Build and maintain the server-side attestation verification infrastructure (our Attestation Gateway) that validates Play Integrity tokens, hardware attestation certificate chains, and Apple App Attest assertions, making trust decisions that gate access to sensitive operations.
• Lead threat modeling for mobile-specific attack surfaces: biometric bypass, key extraction, device cloning, session hijacking, overlay attacks, accessibility abuse, and automated bot farms using real devices.
• Embed security into the mobile development lifecycle performing deep code reviews of Android (Kotlin) and iOS (Swift) code, building automated security checks into CI/CD, and establishing secure coding standards for mobile teams.
• Mature our vulnerability management process for mobile, from triaging mobile-specific bug bounty submissions to driving remediation with mobile engineering teams.
• Evaluate, integrate, and manage mobile security tooling and vendor relationships (RASP, SAST for mobile, binary analysis tools).

Benefits

• Tools for Humanity offers a wide range of best-in-class, comprehensive, and inclusive employee benefits for this role, including healthcare, dental, vision, 401(k) plan and match, life insurance, flexible time off, commuter benefits, professional development stipend, and much more.