Crunchyroll was looking for a Product Security Engineer

The Staff Product Security Engineer will lead the Application Security team, shaping the future of security for mobile, desktop, and game platforms. This role is responsible for establishing long-term security roadmaps, implementing advanced binary protection techniques, and safeguarding content and identity across the ecosystem through strong cryptographic and attestation controls.

Responsibilities

• Lead, mentor, and scale the Application Security team to meet evolving security demands.
• Develop and maintain a forward-looking security strategy for mobile, desktop, and gaming platforms to counter reverse engineering, piracy, and cheating.
• Oversee the creation and deployment of binary protection mechanisms to secure applications and games.
• Manage the assessment and integration of anti-tamper, obfuscation, and Runtime Application Self-Protection (RASP) technologies such as Promon and Guardsquare, ensuring minimal impact on performance and user experience.
• Partner with game development studios to design server-authoritative game economies and implement client-side detection for memory manipulation, touch macros, and modified APKs.
• Design and implement secure chains of trust across the platform ecosystem.
• Oversee management of code signing certificates, secure boot procedures, and integration of hardware-backed secure storage (TEE) for cryptographic keys.
• Lead red team exercises, internally or externally, using reverse engineering tools like IDA Pro and Frida to simulate real-world attacks on apps and games.
• Evaluate and verify the effectiveness of binary-level defenses and attestation mechanisms prior to product release.
• Collaborate with media engineering teams to strengthen DRM systems including Widevine and FairPlay.
• Ensure secure handling of media decryption keys and enforce output protection standards such as HDCP.

Requirements

• Strong knowledge of application architecture, including compilers, linkers, dynamic loaders, ABI interactions, and executable formats such as ELF, Mach-O, and PE.
• Deep understanding of Unity (IL2CPP) and Unreal Engine security models.
• Experience designing protections against game-specific threats including memory editors like GameGuardian, speed hacks, wallhacks, and asset tampering via AssetBundles.
• Extensive experience with cryptographic fundamentals such as hashing and digests, and Public Key Infrastructure (PKI), including certificate management and establishing chains of trust for code signing and secure boot.
• Proven experience evaluating and deploying commercial application shielding solutions (e.g., Promon, Guardsquare, Verimatrix) and platform attestation services (Google Play Integrity, Apple App Attest).
• Hands-on experience with DRM technologies including Google Widevine, Apple FairPlay, and Microsoft PlayReady, with focus on HDCP enforcement and screen capture prevention.
• Proficiency with reverse engineering tools such as IDA Pro, Ghidra, Frida, and Il2CppDumper to analyze applications and assess the strength of binary protections.
• Familiarity with OWASP MASVS and OWASP Mobile Top 10, and ability to align security initiatives with these standards.
• Experience securing web technologies within apps, including HTTPS/TLS, secure cookie attributes (Secure, HttpOnly, SameSite), local storage, and Content Security Policy (CSP).
• Expertise in securing WebView integrations (e.g., WKWebView) to ensure safe data exchange between native and web layers.
• Experience using Trusted Execution Environments (TEE) such as Secure Enclave, TrustZone, and TPM for secure key storage, cryptographic operations, and offline license handling.
• Experience integrating automated security testing (SAST/DAST) into CI/CD pipelines and managing risks associated with third-party SDKs and supply chain attacks.

Tech Stack

IDA Pro, Frida, Ghidra, Il2CppDumper, Promon, Guardsquare, Verimatrix, Google Play Integrity, Apple App Attest, Unity (IL2CPP), Unreal Engine, GameGuardian, Google Widevine, Apple FairPlay, Microsoft PlayReady, HDCP, SAST, DAST, TEE, Secure Enclave, TrustZone, TPM, PKI, ELF, Mach-O

Benefits

• Competitive salary with annual performance-based bonus potential.
• Flexible time off policy allowing employees to take the time they need.
• Comprehensive medical, dental, vision, short-term disability, long-term disability, and life insurance coverage.
• Health Savings Account (HSA) program.
• Health care and dependent care Flexible Spending Accounts (FSA).
• 401(k) retirement plan with employer matching contributions.
• Employer-paid commuter benefits.
• Support programs for new parents.
• Pet insurance and pet-friendly office locations.

Compensation

Great compensation package including salary plus performance bonus earning potential, paid annually

Work Arrangement

hybrid — Dallas, Los Angeles, San Francisco — Hybrid work model indicated by #LI-Hybrid tag

Team

Part of the Fan Experiences Engineering team, specifically within the Fan Experiences Services & Tools subteam focused on developer experience, tooling, and infrastructure. Reports to the Senior Director of Fan Experience Engineering Service & Tools.

• Courage: Overcoming fear to enable our best selves.
• Curiosity: Gateway to empathy, inclusion, and understanding.
• Kaizen: Growth mindset committed to constant forward progress.
• Service: Serve our community with humility, enabling joy and belonging for others.

Additional Information

• The role is titled 'Staff Product Security Engineer'.
• The position is part of the Fan Experiences Services & Tools team.
• The company values diversity and inclusion and is an equal opportunity employer.
• Crunchyroll is an independently operated joint venture between Sony Pictures Entertainment and Aniplex (a subsidiary of Sony Music Entertainment Japan).
• Candidates will only be contacted from @crunchyroll.com email accounts — beware of scams.
• Hiring process questions can be directed to Crunchyroll’s Hiring FAQs at https://help.crunchyroll.com/hc/en-us/articles/360040471712-Crunchyroll-Hiring-FAQs