Offer summary

Qualifications:

Minimum 5 years of experience in penetration testing, with at least 3 years focused on iOS and Android applications., Strong knowledge of OWASP Mobile Top 10 and NIST mobile security guidelines., Proficiency in static and dynamic reverse engineering tools such as JADX, Ghidra, Hopper, IDA Pro, and Radare2., Hands-on experience with runtime analysis frameworks like Frida, Objection, and Xposed..

Key responsibilities:

Perform end-to-end penetration testing of mobile applications, including static, dynamic, and runtime analysis.

Assess security of mobile API integrations, authentication, encryption, and data storage.

Identify and exploit vulnerabilities such as insecure data storage, weak cryptography, and jailbreak/root bypasses.

Develop custom scripts and exploits for advanced testing scenarios.

Job description

Zimperium® is an industry leader in enterprise mobile security, being the first and only company to provide a complete mobile threat defense system that offers realtime, on device worldclass protection against both known and unknown next generation of advanced mobile cyberattacks and malware.

Our MTD and awardwinning machine learningbased engine protects against device, network, phishing and application attacks for IOS, Android and Windows devices, using a nonintrusive approach to always protect privacy of users.

As part of our fastgrowing pace, we are currently looking for an experienced Mobile Application Penetration Tester with deep expertise in security assessments of iOS and Android applications. The role requires advanced skills in runtime analysis, exploit development, and Red Team methodologies. You will be responsible for simulating realworld adversarial attacks, uncovering critical vulnerabilities, and working closely with stakeholders to strengthen the security posture of mobile ecosystems.

Key Responsibilities: Conduct endtoend penetration testing of iOS and Android mobile applications, including static, dynamic, and runtime analysis.
Assess mobile API integrations, authentication mechanisms, encryption protocols, and data storage security.
Identify and exploit vulnerabilities such as insecure data storage, weak cryptography, insecure communication, jailbreakroot bypasses, insecure code practices, and business logic flaws.
Use runtime instrumentation frameworks (Frida, Objection, Xposed) for dynamic testing and bypassing protections.
Perform certificate pinning bypass, hooking, and traffic interception using advanced proxying techniques.
Evaluate and attempt evasion of mobile app protections such as rootjailbreak detection, code obfuscation, antidebugging, and tamper protection.
Develop custom scriptsexploits (Python, Java, Swift, Kotlin, or C++) for advanced testing scenarios.
Produce comprehensive penetration test reports, including risk ratings, proofofconcept exploits, and actionable remediation steps.
Work closely with development and research security teams to embed secure SDLC practices.
Contribute to Red Team exercises by simulating adversarial attacks against mobile endpoints.

Required Skills & Experience: 5+ years of experience in penetration testing, with at least 3 years focused on iOS and Android mobile applications.
Strong knowledge of OWASP Mobile Top 10, and NIST mobile security guidelines.
Expertise in:
Static & Reverse Engineering: Apktool, JADX, Ghidra, Hopper, IDA Pro, Radare2, JDGUI.
Dynamic & Runtime Testing: Frida, Objection, Cycript, LLDB, Xposed.
AutomationFrameworks: MobSF, Drozer, Appium (for automationassisted testing).
Proxying & Interception: Burp Suite Pro, OWASP ZAP, MITM tools
Solid understanding of mobile OS internals (Android security model, iOS security architecture, Keychain, Secure Enclave, sandboxing).
Handson experience with jailbroken iOS and rooted Android devices for advanced exploitation.
Familiarity with cryptography, secure communications (TLS, cert pinning), and secure data storage techniques.
Ability to think like an attacker and perform creative exploitation beyond automated tool findings.

Preferred Certifications:OSCP OSEP OSED (Offensive Security)
OSWE OSMR (Offensive Security Web & Mobile certs)EWPTX EWAPT (eLearnSecurity)
CRTP CRTE (Red Team certs)
CEH CAP API Security Testing (good to have, but not mandatory if strong handson skills)

Zimperium, Inc. is a global leader in mobile device and app security, offering realtime, ondevice protection against both known and unknown threats on Android, iOS and Chromebook endpoints. The company was founded under the premise that the then current state of mobile security was insufficient to solve the growing mobile security problem. At the time, most mobile security was a port from traditional endpoint security technologies.Zimperium recognized mobile devices had unique characteristics needing a completely new approach. The team set to work to reimagine how to protect mobile devices and developed the award winning, patented z9 machine learningbased engine.

Zimperium is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex including sexual orientation and gender identity, national origin, disability, protected veteran status, or any other characteristic protected by applicable federal, state, or local law.