Mobile Application Penetration Tester (iOS & Android)

Zimperium® is an industry leader in enterprise mobile security, being the first and only company to provide a complete mobile threat defense system that offers real-time, on device world-class protection against both known and unknown next generation of advanced mobile cyberattacks and malware.

Our MTD and award-winning machine learning-based engine protects against device, network, phishing and application attacks for IOS, Android and Windows devices, using a non-intrusive approach to always protect privacy of users.

Mobile Application Penetration Tester

Key Responsibilities:

• Conduct

  end-to-end penetration testing of iOS and Android mobile applications

  , including

  static, dynamic, and runtime analysis

  .
• Assess

  mobile API integrations, authentication mechanisms, encryption protocols, and data storage security

  .
• Identify and exploit vulnerabilities such as

  insecure data storage, weak cryptography, insecure communication, jailbreak/root bypasses, insecure code practices, and business logic flaws

  .
• Use

  runtime instrumentation frameworks

  (Frida, Objection, Xposed) for dynamic testing and bypassing protections.
• Perform

  certificate pinning bypass, hooking, and traffic interception

  using advanced proxying techniques.
• Evaluate and attempt

  evasion of mobile app protections

  such as root/jailbreak detection, code obfuscation, anti-debugging, and tamper protection.
• Develop

  custom scripts/exploits (Python, Java, Swift, Kotlin, or C++)

  for advanced testing scenarios.
• Produce

  comprehensive penetration test reports

  , including risk ratings, proof-of-concept exploits, and actionable remediation steps.
• Work closely with development and research security teams to embed

  secure SDLC practices

  .
• Contribute to

  Red Team exercises

  by simulating adversarial attacks against mobile endpoints.

Required Skills & Experience:

• 5+ years of experience

  in penetration testing, with

  at least 3 years focused on iOS and Android mobile applications

  .
• Strong knowledge of

  OWASP Mobile Top 10, and NIST mobile security guidelines

  .
• Expertise in:

• Static & Reverse Engineering

  : Apktool, JADX, Ghidra, Hopper, IDA Pro, Radare2, JD-GUI.

• Dynamic & Runtime Testing

  : Frida, Objection, Cycript, LLDB, Xposed.

• Automation/Frameworks

  : MobSF, Drozer, Appium (for automation-assisted testing).

• Proxying & Interception

  : Burp Suite Pro, OWASP ZAP, MITM tools
• Solid understanding of

  mobile OS internals

  (Android security model, iOS security architecture, Keychain, Secure Enclave, sandboxing).
• Hands-on experience with

  jailbroken iOS and rooted Android devices

  for advanced exploitation.
• Familiarity with

  cryptography, secure communications (TLS, cert pinning), and secure data storage techniques

  .
• Ability to

  think like an attacker

  and perform creative exploitation beyond automated tool findings.

Preferred Certifications:

• OSCP / OSEP / OSED

  (Offensive Security)

• OSWE / OSMR (Offensive Security Web & Mobile certs)

• EWPTX / EWAPT

  (eLearnSecurity)

• CRTP / CRTE

  (Red Team certs)

• CEH / CAP / API Security Testing

  (good to have, but not mandatory if strong hands-on skills)

Zimperium is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex including sexual orientation and gender identity, national origin, disability, protected veteran status, or any other characteristic protected by applicable federal, state, or local law.