Senior/Staff Mobile Security Engineer at Tools%20for%20humanity

About the Company: World is building a real human network designed to accelerate people in the age of AI. As bots and autonomous agents reshape the internet, people, institutions, and applications need a trusted way to confirm who is a real human while preserving privacy. Our products make this possible: the Orb verifies real people, World ID proves it privately, and World App enables and distributes the new applications made possible by this technology. Together, they form a new layer for AI internet. We’re one of the fastest-growing networks in tech. More than 17 million people across 160 countries have verified with World ID, and we complete over 350,000 verifications each week. World App is already among the most used wallets globally. Developers are integrating World ID to build safer online experiences and create spaces where real people can participate, earn, and be recognized in ways AI simply can’t replicate. World was founded in 2019 and launched globally in 2023. We are more than 400 people across hardware, software, AI, cryptography, mobile engineering, and global operations. Our teams come from OpenAI, Tesla, SpaceX, Apple, Google, Stripe, Meta, Coinbase, Palantir and MIT Media Lab. We’re backed by leading investors, including a16z, Khosla Ventures, Bain Capital Crypto, Blockchain Capital, Variant, Tiger Global, and Coinbase Ventures, as well as prominent operators and founders across fintech and AI. World has been featured on the cover of TIME Magazine [Upgrade to PRO to see link] highlighted in Fast Company’s [Upgrade to PRO to see link] Next 5 in Fintech, and explored in a Bloomberg deep dive [Upgrade to PRO to see link] The New York Times [Upgrade to PRO to see link] Bankless [Upgrade to PRO to see link] and TechCrunch [Upgrade to PRO to see link] have all recognized our progress in identity, cryptography, AI, and global-scale hardware deployment. Our leadership is also named to the Time AI 100 [Upgrade to PRO to see link] Learn more about the newest product launches from our Unwrapped [Upgrade to PRO to see link] event. ABOUT THE TEAM The Security team at Tools for Humanity operates at a level far beyond a regular company. Our objective is not just to secure an organization, but to build the trusted, foundational infrastructure for the world's largest identity and financial network. We are a team of over 15 seasoned engineers who are central to the success of the World [Upgrade to PRO to see link] protocol. We tackle a unique and complex threat landscape [Upgrade to PRO to see link] that spans state-of-the-art hardware security for the Orb, advanced cryptography including new zero-knowledge proofs, and the security of a global, distributed cloud and mobile ecosystem. Our work is critical to enabling the protocol to scale to billions of users while upholding an unwavering commitment to fail-safe security and privacy. ABOUT THE OPPORTUNITY As a Mobile Security Engineer, you will own the security and integrity of the mobile applications at the core of the World protocol World App on Android and iOS used by millions of people worldwide to verify their identity, authenticate with biometrics, and manage digital assets. This is not a consultative role; you will be a hands-on builder, designing and implementing the systems that ensure our mobile clients are trustworthy, tamper-resistant, and resistant to adversarial attack at global scale. Our mobile threat model is uniquely challenging: the World App must perform privacy-preserving biometric operations (iris and face authentication) on-device, hold cryptographic keys for identity proofs, and interact with hardware attestation systems all while operating in environments where adversaries range from casual fraud to nation-state-level identity fabrication at scale. You will be the expert who ensures this stack cannot be subverted. You will: - Design, build, and operate mobile device attestation and integrity verification systems across Android and iOS including hardware-backed key attestation (Android KeyStore TEE/StrongBox, Apple App Attest/Secure Enclave), ensuring requests originate from genuine, untampered devices running unmodified app code. - Engineer anti-tampering, anti-hooking, and runtime integrity protections for the World App, making the app resilient against reverse engineering, instrumentation frameworks (Frida, Xposed), and repackaging attacks. - Own the mobile hardening strategy end-to-end: certificate pinning, secure storage, obfuscation, jailbreak/root detection, debugger detection, and screen capture protection deciding which protections to build in-house and which to source from vendors. - Design cryptographic protocols for on-device biometric authentication (Face Auth, selfie verification) that are resistant to replay, relay, and deepfake injection attacks, ensuring the biometric pipeline cannot be manipulated even on a compromised device. - Build and maintain the server-side attestation verification infrastructure (our Attestation Gateway) that validates Play Integrity tokens, hardware attestation certificate chains, and Apple App Attest assertions, making trust decisions that gate access to sensitive operations. - Lead threat modeling for mobile-specific attack surfaces: biometric bypass, key extraction, device cloning, session hijacking, overlay attacks, accessibility abuse, and automated bot farms using real devices. - Embed security into the mobile development lifecycle performing deep code reviews of Android (Kotlin) and iOS (Swift) code, building automated security checks into CI/CD, and establishing secure coding standards for mobile teams. - Mature our vulnerability management process for mobile, from triaging mobile-specific bug bounty submissions to driving remediation with mobile engineering teams. - Evaluate, integrate, and manage mobile security tooling and vendor relationships (RASP, SAST for mobile, binary analysis tools). ABOUT YOU You are a deeply technical mobile security engineer who has spent years protecting high-value mobile applications against sophisticated adversaries. You have a builder's mindset; you don't just find problems, you ship solutions. You've been responsible for the security of mobile apps where the stakes are real: payments, identity, or financial services at scale. Required: - 8+ years of hands-on experience in mobile security engineering, with deep expertise in at least one of Android or iOS (strong in both is ideal). - Proven experience designing and operating mobile device attestation systems you understand Android Hardware Key Attestation (KeyMint, TEE, StrongBox, attestation certificate chains, Google root CA verification), Google Play Integrity API (Classic and Standard modes), and/or Apple App Attest (DeviceCheck, attestation/assertion flows, Secure Enclave) at a systems level, not just as an API consumer. - Strong background in mobile application hardening: you have implemented or evaluated anti-tampering, anti-hooking, root/jailbreak detection, debugger detection, certificate pinning, and runtime integrity protection in production apps. - Experience with mobile reverse engineering and offensive security: you can decompile APKs (jadx, apktool), analyze iOS binaries, use Frida/Objection for dynamic analysis, and think like an attacker to validate your defenses. - Proficiency in Kotlin/Java (Android) and/or Swift (iOS) for security-focused code review and building security libraries. - Experience securing on-device cryptographic operations: key generation, secure storage (Android KeyStore, iOS Keychain), and protocols that depend on hardware-backed keys. - Strong understanding of mobile-specific attack vectors: overlay attacks, accessibility service abuse, screen recording, deepfake injection into camera pipelines, biometric bypass, and app cloning. Nice to have: - Experience building or operating server-side attestation verification services (decrypting Play Integrity JWE/JWS tokens, validating X.509 attestation certificate chains, managing Apple App Attest key lifecycle in a backend). - Experience with RASP vendor evaluation and integration (Zimperium, Guardsquare/DexGuard, Promon, Appdome). - Background in payment security or PCI-compliant mobile applications (SoftPOS, Tap-to-Pay, EMV). - Familiarity with privacy-preserving systems: zero-knowledge proofs, on-device biometric processing, or differential privacy. - Experience scaling a Secure SDLC or security champions program for mobile engineering teams. - Contributions to mobile security research, conference talks, or open-source security tooling. - Rust, Go, or Python experience for backend security tooling and infrastructure. WHAT WE OFFER The reasonably estimated salary for this role at Tools for Humanity ranges from $251,000 - $325,000 plus a competitive long-term incentive package. Actual compensation is based on factors such as the candidate's skills, qualifications, and experience. In addition, Tools for Humanity offers a wide range of best-in-class, comprehensive, and inclusive employee benefits for this role, including healthcare, dental, vision, 401(k) plan and match, life insurance, flexible time off, commuter benefits, professional development stipend, and much more. By submitting your application, you consent to the processing and internal sharing of your CV within the company, in compliance with the GDPR. If you don't think you meet all of the criteria but are still interested in the job, please apply. Nobody checks every box, and we're looking for someone excited to join the team.