Senior Software Engineer, Client Security

Client Security is part of the Business Risk Integrated Control (BRIC) team. We focus on building end-to-end, defense-in-depth systems that balance privacy and business needs to combat large-scale automated fraud and API abuse. Our scope includes client environment inspection, risky signal collection, trusted computing, traffic validation, data mining, and delivering tools and subject-matter services to business lines.

Responsibilities:

• Client-side security engineering: Develop, iterate, maintain, and provide technical support for client-side security components across Android, iOS, macOS, and Windows.
• Binary and runtime protection: Research and implement cutting-edge techniques to detect and prevent app cracking, tampering, hooking/injection, automation attacks, and other large-scale abuse; drive competitive analysis and key technical breakthroughs to strengthen defenses and product experience.
• Cross-functional threat response: Collaborate with client, backend, risk, and privacy stakeholders to research malicious tooling, track emerging attacks, and build anti-automation and validation systems.
• AI-driven automation defense: Build client-side defenses against AI-driven automation (LLM-assisted/scripted bots), including behavior modeling, anomaly detection, and proof-of-human signal design.
• On-device ML and content integrity: Secure on-device ML components used in product features—covering model integrity verification, anti-tamper/anti-extraction, encrypted model loading, and secure inference runtimes (e.g., TEE/Secure Enclave)—and research adversarial ML and deepfake vectors impacting client features (e.g., biometrics, media, content) to design on-device detection and mitigation pipelines.

Minimum Qualifications

• Strong passion for information security with hands-on experience in binary security and reverse engineering, including code obfuscation, VMP/virtualization, anti-debugging, anti-injection, and malware analysis.
• Deep understanding of OS internals; proficiency in C/C++, Objective-C, and Java; familiarity with ARM/x86 assembly; solid programming skills and clean coding habits.
• Cross-platform client security experience is preferred; expert-level proficiency in at least one platform (Android, iOS, macOS, or Windows) with the ability to deliver independently.
• Working knowledge of AI security and adversarial ML concepts (e.g., evasion/poisoning attacks, model extraction/inversion, jailbreak/prompt-injection, data exfiltration) and their impact on client-side defenses.
• Experience designing signals and features to differentiate human-device interactions from automated agents and reducing false positives under privacy constraints.

Preferred Qualifications

• Experience with TEE/TrustZone/Secure Enclave, device/app attestation, and secure traffic validation.
• Familiarity with Frida, Xposed, Clang/LLVM, static/dynamic analysis, and symbol/identifier obfuscation and hardening pipelines; experience building large-scale anti-automation and validation systems.
• Experience with on-device ML frameworks (e.g., TensorFlow Lite, PyTorch Mobile, Core ML, Metal, NNAPI) and secure model deployment (e.g., encryption, integrity checks, guarded runtime), as well as client-side bot detection leveraging ML, deepfake/synthetic media detection, content provenance/watermark verification (e.g., C2PA), and privacy-preserving ML (e.g., differential privacy/federated approaches).
• Prior AI red teaming or attack tooling development (e.g., prompt-injection harnesses, adversarial example generation) and collaboration with applied ML teams on guardrails and monitoring.