Senior/Staff Mobile Security Engineer

Location San Francisco Employment Type Full time Location Type On-site Department Security About the Opportunity As a Mobile Security Engineer, you will own the security and integrity of the mobile applications at the core of the World protocol World App on Android and iOS used by millions of people worldwide to verify their identity, authenticate with biometrics, and manage digital assets. This is not a consultative role; you will be a hands‑on builder, designing and implementing the systems that ensure our mobile clients are trustworthy, tamper‑resistant, and resilient to adversarial attack at global scale. Our mobile threat model is uniquely challenging: the World App must perform privacy‑preserving biometric operations (iris and face authentication) on‑device, hold cryptographic keys for identity proofs, and interact with hardware attestation systems all while operating in environments where adversaries range from casual fraud to nation‑state‑level identity fabrication at scale. You will be the expert who ensures this stack cannot be subverted. Responsibilities Design, build, and operate mobile device attestation and integrity verification systems across Android and iOS including hardware‑backed key attestation (Android KeyStore TEE/StrongBox, Apple App Attest/Secure Enclave), ensuring requests originate from genuine, untampered devices running unmodified app code. Engineer anti‑tampering, anti‑hooking, and runtime integrity protections for the World App, making the app resilient against reverse engineering, instrumentation frameworks (Frida, Xposed), and repackaging attacks. Own the mobile hardening strategy end‑to‑end: certificate pinning, secure storage, obfuscation, jailbreak/root detection, debugger detection, and screen capture protection deciding which protections to build in‑house and which to source from vendors. Design cryptographic protocols for on‑device biometric authentication (Face Auth, selfie verification) that are resistant to replay, relay, and deepfake injection attacks, ensuring the biometric pipeline cannot be manipulated even on a compromised device. Build and maintain the server‑side attestation verification infrastructure (our Attestation Gateway) that validates Play Integrity tokens, hardware attestation certificate chains, and Apple App Attest assertions, making trust decisions that gate access to sensitive operations. Lead threat modeling for mobile‑specific attack surfaces: biometric bypass, key extraction, device cloning, session hijacking, overlay attacks, accessibility abuse, and automated bot farms using real devices. Embed security into the mobile development lifecycle performing deep code reviews of Android (Kotlin) and iOS (Swift) code, building automated security checks into CI/CD, and establishing secure coding standards for mobile teams. Mature our vulnerability management process for mobile, from triaging mobile‑specific bug bounty submissions to driving remediation with mobile engineering teams. Evaluate, integrate, and manage mobile security tooling and vendor relationships (RASP, SAST for mobile, binary analysis tools). About You You are a deeply technical mobile security engineer who has spent years protecting high‑value mobile applications against sophisticated adversaries. You have a builder's mindset; you don't just find problems, you ship solutions. You've been responsible for the security of mobile apps where the stakes are real: payments, identity, or financial services at scale. Required 8+ years of hands‑on experience in mobile security engineering, with deep expertise in at least one of Android or iOS (strong in both is ideal). Proven experience designing and operating mobile device attestation systems you understand Android Hardware Key Attestation (KeyMint, TEE, StrongBox, attestation certificate chains, Google root CA verification), Google Play Integrity API (Classic and Standard modes), and/or Apple App Attest (DeviceCheck, attestation/assertion flows, Secure Enclave) at a systems level, not just as an API consumer. Strong background in mobile application hardening: you have implemented or evaluated anti‑tampering, anti‑hooking, root/jailbreak detection, debugger detection, certificate pinning, and runtime integrity protection in production apps. Experience with mobile reverse engineering and offensive security: you can decompile APKs (jadx, apktool), analyze iOS binaries, use Frida/Objection for dynamic analysis, and think like an attacker to validate your defenses. Proficiency in Kotlin/Java (Android) and/or Swift (iOS) for security‑focused code review and building security libraries. Experience securing on‑device cryptographic operations: key generation, secure storage (Android KeyStore, iOS Keychain), and protocols that depend on hardware‑backed keys. Strong understanding of mobile‑specific attack vectors: overlay attacks, accessibility service abuse, screen recording, deepfake injection into camera pipelines, biometric bypass, and app cloning. Nice to have Experience building or operating server‑side attestation verification services (decrypting Play Integrity JWE/JWS tokens, validating X.509 attestation certificate chains, managing Apple App Attest key lifecycle in a backend). Experience with RASP vendor evaluation and integration (Zimperium, Guardsquare/DexGuard, Promon, Appdome). Background in payment security or PCI‑compliant mobile applications (SoftPOS, Tap‑to‑Pay, EMV). Familiarity with privacy‑preserving systems: zero‑knowledge proofs, on‑device biometric processing, or differential privacy. Experience scaling a Secure SDLC or security champions program for mobile engineering teams. Contributions to mobile security research, conference talks, or open‑source security tooling. Rust, Go, or Python experience for backend security tooling and infrastructure. What we offer The reasonably estimated salary for this role at Tools for Humanity ranges from $251,000 - $325,000 plus a competitive long‑term incentive package. Actual compensation is based on factors such as the candidate's skills, qualifications, and experience. In addition, Tools for Humanity offers a wide range of best‑in‑class, comprehensive, and inclusive employee benefits for this role, including healthcare, dental, vision, 401(k) plan and match, life insurance, flexible time off, commuter benefits, professional development stipend, and much more. #J-18808-Ljbffr Kubelt