Mobile Application Security Engineer

The opportunity: #

This position is open exclusively for Ukrainian residents within Ukraine (preferably Kyiv or Lviv).

Cossack Labs is looking for a Mobile application security engineer to join our Security team and work with us on building and breaking software. If you are interested in designing and building security controls, working hand-in-hand with software developers, performing security assessments, this may be the position for you.

We are ready to invest time in your education if you are prepared to work diligently and responsibly. Alongside technical skills, we’ll teach you leadership, time management, business context, and how to keep improving cybersecurity despite the ever-increasing entropy of the world.

We are a data security solutions company, providing custom bespoke solutions to innovative software development teams around the world. Our software is well-known amongst security-aware teams, recommended by OWASP, and popular for easily solving complicated security challenges. Apart from building “off-the-shelf” solutions, we design custom security controls for novel problems.

We work in the B2B space, with customers such as IIoT, AI / ML based systems, mission critical systems, robotics, navigation, power grid operators, payment processors, financial apps, legal companies, million-user customer applications. We cater to young ambitious startups and well-established enterprises, who use our software and solutions as core part of their security arsenal. Our customers are smart, but extremely demanding.

Markets: EU, UK, USA, UA.

You will: #

• Participate in security assessments of mobile applications (iOS, Android, Flutter, React Native). Focus on platform-specific security controls (biometrics, security storage, device capabilities, reverse-engineering protections). Perform analysis and threat modelling.
• Treat mobile app as a gateway into a larger system, build security defences from app to the backend and back (transport protections, TLS pinning, anti-fraud systems).
• Participate in SSDLC for our products and our customers’ products. Explain risks & threats, work together with developers to select security controls that would improve security without restricting usability/performance.
• Stay up to date with emerging security threats, vulnerabilities, and controls (read articles and papers, follow CVE updates, understand how threat landscape is changing, understand how to apply described ideas, read NIST guidelines).
• Dive into application security, infrastructure security, data security, IoT security, ML security with our team of skilled engineers. See related case study, written from an engineer’s point of view.
• Share your work as conference talks, blogposts (see a post about Mobile security score framework), contribute to open source standards like OWASP.

We would expect you to have: #

• Experience in performing security assessment for mobile and/or web applications.
• Ability to read code, understand business logic and spot security mistakes in different mobile-relevant languages, like Swift, Objective-C, Kotlin, Java, JavaScript, TypeScript, Dart.
• Experience designing or implementing mobile security controls, as well as platform-specific controls (Biometry on iOS, screenshot protections on Android, etc).
• Good understanding of OWASP MAS (MASVS + MASTG).
• Be familiar with other application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS.
• Understanding SSDLC (OWASP SSDLC, NIST SSDF).
• An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls.
• Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).

As a plus you’d have: #

• Mobile development experience. Experience with mobile stack: Xcode, Android Studio, TestFlight, Firebase, AppCenter, Bitrise, fastlane, etc.
• Experience in jailbreaking/rooting your devices.
• Experience in reverse engineering applications, bypassing TLS pinning, analysing source code.
• Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.

Hiring Process: #

• Resume review – up to 5 business days.
• Test task – estimated time 3-4 hours.
• Introductory meeting with the Head of security engineering.
• Technical interview with several team members.
• Offer discussion.

Please note that you can be a perfect fit even if not everything we’ve outlined above applies to you. If you have any questions, please don’t hesitate to ask – everyone is unique.

We offer: #

Unique area of expertise: #

• Interesting and challenging work in applied security engineering: from building to breaking.
• Working at the intersection of different areas: designing ML security controls, supporting cryptographic protocols with security controls, protecting hardware, building reverse-resilient mobile apps, securing web apps for million of users, etc.
• Combining technologies: cryptography, software engineering, information security. You won’t be bored :)
• Public track record in the open source part of our products, sharing your work as blogs posts, research papers and conference talks. We work with innovative companies all over the world, move quickly and dive into technologies others just hear about.
• A sense of meaning and responsibility for those who seek purpose – we’re building “invisible texture of modern civilization”—bits of infrastructure finance, power grids, healthcare rely on, and we are trusted with very challenging aspects of it.

Environment: #

• Friendly and experienced team: smart people to learn from, great people to build with. Each of us is unique, we value and support each other.
• An atmosphere that motivates you to grow and get smarter every month, a healthy ratio of routine / experimentation.
• Trust: schedule, reporting, bureaucracy is kept at reasonable minimum. We hire smart people and trust them to do the right thing. When things go wrong, we help rather than punish.
• Shared decision making: this business is driven by engineering excellence, so engineers are important part of tactical and strategical business decisions.
• Friendly to humans: not just a formal vacation and sick leave quota. Feel like your mental or physical wellbeing needs care? Take some time off. Feel like working a few days from home? Sure. As long as you’re in line, we are here to support you when you’re not.

Growth: #

• Team that facilitates internal learning and growth all the time.
• Interesting technologies to work with — sometimes, even unique ones (we design applied cryptography schemes and techniques and novel ways to use them).
• Interesting engineering challenges across the board, ability to hop from high-level system design to protocol reverse engineering and clever data modelling hacks.
• Management attention to help you improve upon your personal goals (through 1:1s and mentoring).

Benefits: #

• Competitive compensation with flexible bonus scheme.
• Sick leaves, 21 vacation days a year, extra days off — according to agreements and laws.
• Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops and blog posts.

Not sure but considering? Talk to us. #

If you see yourself fit but a few things are off — don’t hesitate to talk anyway. It might be that your unique combination of skills and knowledge would be perfectly fitting for our environment, but we both just don’t know it yet.

Why work at Cossack Labs? #

Some companies prioritise talent and value proposition, while others understand business and would take any job that pays well. However, only few companies choose to specialise in difficult tasks as their primary competency.

We take on difficult jobs, we take mission-critical software and make it mission-secure.

• Virtualise OT infrastructure securely in the presence of active adversaries, preventing them from accessing the susceptible nation-wide network? ✓ Check.
• Provide immediate application security and infrastructure security guidance for mission-critical application that will be deployed on thousands of devices on the front-line tomorrow? ✓ Check.
• Validate counter-reverse engineering protections for power grid hardware to ensure that previously air-gapped environments were safe to open up to the outside world? ✓ Check.
• Ensure that software platforms for exchange of sensitive documents actually have a top-tier SSDLC programme that supplements missing capabilities and builds out processes? ✓ Check.

We operate as a lean core team and a diverse network of experts. The finest people you may work with include PhDs in information security and cryptography, infosec community standard contributors, in-depth experts in rare security topics, and business-centric security engineers with broad experiences. Some of your teammates have worked in infosec since the 1990s and saw the industry grow from nothing. Some of them helped write standards that govern security around you. Maybe someone’s work actually keeps the lights up while you’re reading this?

Our core engineers go through extensive indoctrination and training to become disciplined, stringent, self-sufficient field unit who owns the outcomes rather than just showing up for work.

As you grow into the Cossack Labs engineer, you’ll work on slow-paced projects to learn and improve, internal projects to innovate and build tools, and of course a few fires, because no smooth sea can make a skilled sailor. You’ll discover what works for you and what you need to learn.

We help innovators who are launching new venues of civilisation while facing significant security risks in becoming more secure and resilient. Customers trust us to achieve their business goals, not merely address gaps someone else has to identify first.

If this is a challenge you’re up to, let's talk!