EX Squared is hiring a Mobile Application Penetration Tester (iOS & Android)

Jobgether is looking for a Mobile Application Penetration Tester to join a high-impact cybersecurity environment where your expertise will directly protect mobile users and enterprises. You will conduct advanced security assessments of iOS and Android applications, applying sophisticated methodologies to uncover vulnerabilities and strengthen resilience. The role demands hands-on penetration testing skills, deep technical knowledge, and creativity to simulate real-world adversarial attacks.

What You'll Do

• Conduct end-to-end penetration testing of iOS and Android apps, including static, dynamic, and runtime analysis.
• Evaluate mobile API integrations, authentication, encryption, and data storage mechanisms.
• Identify and exploit critical vulnerabilities such as insecure storage, weak cryptography, jailbreak/root bypasses, and logic flaws.
• Utilize runtime instrumentation frameworks like Frida, Objection, and Xposed for advanced dynamic testing.
• Perform certificate pinning bypass, hooking, and traffic interception with advanced proxy techniques.
• Assess and attempt evasion of app protections including root/jailbreak detection, code obfuscation, and anti-debugging.
• Develop custom scripts and exploits in Python, Java, Swift, Kotlin, or C++ to simulate advanced attacks.
• Produce detailed penetration test reports with risk ratings, PoCs, and actionable remediation guidance.
• Support Red Team exercises by simulating adversarial mobile endpoint attacks.
• Collaborate with development and security stakeholders to integrate secure coding and SDLC practices.

What We're Looking For

• 5+ years in penetration testing, with at least 3 years focused on iOS and Android apps.
• Solid knowledge of OWASP Mobile Top 10 and NIST guidelines.
• Expertise with tools for static and reverse engineering like Apktool, JADX, Ghidra, Hopper, IDA Pro, Radare2, and JD-GUI.
• Advanced experience in runtime/dynamic testing using Frida, Objection, Cycript, LLDB, and Xposed.
• Familiarity with automation frameworks (MobSF, Drozer, Appium) and proxy tools (Burp Suite Pro, OWASP ZAP, MITM tools).
• Strong understanding of Android and iOS security internals, including sandboxing, Keychain, Secure Enclave, and OS models.
• Hands-on use of jailbroken and rooted devices for advanced exploitation.
• Knowledge of cryptography, TLS, certificate pinning, and secure storage.
• Ability to think creatively like an attacker, going beyond automated findings.

Nice to Have

• Preferred certifications: OSCP, OSEP, OSED, OSWE, OSMR, EWPTX, EWAPT, CRTP, CRTE. Others like CEH or CAP are considered a plus.

Technical Stack

• Languages: Python, Java, Swift, Kotlin, C++
• Runtime Instrumentation: Frida, Objection, Xposed, Cycript, LLDB
• Reverse Engineering: Apktool, JADX, Ghidra, Hopper, IDA Pro, Radare2, JD-GUI
• Automation & Proxy: MobSF, Drozer, Appium, Burp Suite Pro, OWASP ZAP

Benefits & Compensation

• Competitive salary aligned with expertise and experience.
• Remote-first flexibility with a focus on work-life balance.
• Opportunity to work with leading-edge mobile security technologies.
• Professional growth through advanced projects and Red Team exercises.
• Access to certifications, training, and career development programs.
• Inclusive and collaborative environment promoting innovation.
• Health and wellness benefits package.

Work Mode

This is a remote-first position open to candidates based in India.

Jobgether is an equal opportunity employer committed to an inclusive and collaborative environment.