Senior​/Mobile Security Engineer

About the Opportunity

As a Mobile Security Engineer, you will own the security and integrity of the mobile applications at the core of the World protocol: the World App on Android and iOS used by millions of people worldwide to verify their identity, authenticate with biometrics, and manage digital assets. This is not a consultative role; you will be a hands‑on builder, designing and implementing the systems that ensure our mobile clients are trustworthy, tamper‑resistant, and resistant to adversarial attack at global scale.

Our mobile threat model is uniquely challenging: the World App must perform privacy‑preserving biometric operations (iris and face authentication) on‑device, hold cryptographic keys for identity proofs, and interact with hardware attestation systems all while operating in environments where adversaries range from casual fraud to nation‑state‑level identity fabrication  will be the expert who ensures this stack cannot be subverted.

• Design, build, and operate mobile device attestation and integrity verification systems across Android and iOS, including hardware‑backed key attestation (Android Key Store TEE/Strong Box, Apple App Attest/Secure Enclave), ensuring requests originate from genuine, untampered devices running unmodified app code.
• Engineer anti‑tampering, anti‑hooking, and runtime integrity protections for the World App, making the app resilient against reverse engineering, instrumentation frameworks (Frida, Xposed), and repackaging attacks.
• Own the mobile hardening strategy end‑to‑end: certificate pinning, secure storage, obfuscation, jailbreak/root detection, debugger detection, and screen capture protection, deciding which protections to build in‑house and which to source from vendors.
• Design cryptographic protocols for on‑device biometric authentication (Face Auth, selfie verification) that are resistant to replay, relay, and deepfake injection attacks, ensuring the biometric pipeline cannot be manipulated even on a compromised device.
• Build and maintain the server‑side attestation verification infrastructure (our Attestation Gateway) that validates Play Integrity tokens, hardware attestation certificate chains, and Apple App Attest assertions, making trust decisions that gate access to sensitive operations.
• Lead threat modelling for mobile‑specific attack surfaces: biometric bypass, key extraction, device cloning, session hijacking, overlay attacks, accessibility abuse, and automated bot farms using real devices.
• Embed security into the mobile development lifecycle, performing deep code reviews of Android (Kotlin) and iOS (Swift) code, building automated security checks into CI/CD, and establishing secure coding standards for mobile teams.
• Mature our vulnerability management process for mobile, from triaging mobile‑specific bug bounty submissions to driving remediation with mobile engineering teams.
• Evaluate, integrate, and manage mobile security tooling and vendor relationships (RASP, SAST for mobile, binary analysis tools).

You are a deeply technical mobile security engineer who has spent years protecting high‑value mobile applications against sophisticated adversaries. You have a builder's mindset; you don't just find problems, you ship solutions. You've been responsible for the security of mobile apps where the stakes are real: payments, identity, or financial services at scale.

• 8+ years of hands‑on experience in mobile security engineering, with deep expertise in at least one of Android or iOS (strong in both is ideal).
• Proven experience designing and operating mobile device attestation systems; you understand Android Hardware Key Attestation (Key Mint, TEE, Strong Box, attestation certificate chains, Google root CA verification), Google Play Integrity API (Classic and Standard modes), and/or Apple App Attest (Device Check, attestation/assertion flows, Secure Enclave) at a systems level, not just as an API consumer.
• Strong background in mobile application hardening: you have implemented or evaluated anti‑tampering, anti‑hooking, root/jailbreak detection, debugger detection, certificate pinning, and runtime integrity protection in production apps.
• Experience…