About Castle

Castle is a Series A startup on a mission to create a safer online world by protecting platforms from fraud, abuse, and malicious activity. Trusted by companies like Canva, Atlassian, and Rockstar Games, we’re backed by Y Combinator, Index Ventures, and top-tier angels from Datadog, Stripe, and New Relic. Our fast-moving team is scaling globally, helping platforms stay secure while thriving in a rapidly evolving digital landscape.

The role

We’re hiring a Staff Mobile Security Engineer to make our mobile SDKs resilient against reverse engineering, tampering, and other adversarial techniques. This role goes beyond typical app development. You’ll operate at the intersection of mobile security, low-level systems programming, and fraud detection. Working closely with our Head of Research, Antoine Vastel, you’ll help refine advanced detection methodologies and uncover new mobile signals to stay ahead of evolving threats.

Castle’s SDKs are deployed in some of the world’s largest apps and platforms to stop credential stuffing, fake account creation, and large-scale automation fraud. Your mission is to ensure these protections remain robust, even in hostile environments where attackers fully control the device.

What you’ll do

• Design and implement mobile defenses against reverse engineering and runtime tampering
• Build hardened mobile SDKs that resist both dynamic and static analysis
• Develop and maintain high-fidelity mobile signals for bot detection, fraud risk scoring, and anomaly analysis
• Reverse engineer attacker tools (e.g., Frida scripts, emulators, obfuscated payloads) and evolve defenses accordingly
• Investigate and model mobile threat actors targeting client-side detection logic
• Prototype novel anti-abuse strategies on Android (and iOS, as needed), testing against real-world attacker techniques
• Collaborate with researchers and detection engineers to turn insights into production-grade defenses

What you bring

• Significant experience in Android security and mobile threat modeling, with a deep understanding of client hardening, anti-tamper mechanisms, and exploit mitigation techniques
• Proven ability in low-level systems programming and reverse engineering. Familiarity with assembly languages (x86; ARM is a plus)
• Solid understanding of JVM internals
• Proficiency in native Android development using C/C++, with working knowledge of Java
• Ability to write secure, efficient code optimized for resource-constrained environments
• Hands-on experience with instrumentation and hooking frameworks such as Frida
• Familiarity with iOS internals, jailbreak detection, and mobile OS security models
• Experience building security-critical SDKs or libraries for integration into third-party apps
• Background in adversarial environments is a strong plus (e.g., anti-cheat, DRM, game integrity)
• Clear communication skills and a collaborative mindset

Why this role matters

Castle protects web and mobile apps from bot-driven abuse and fraud, with SDKs that run on millions of devices. On mobile, attackers have full access to the client, and use advanced reverse engineering techniques to bypass protections or spoof signal collection.

As attackers get smarter, so must our defenses. Your work will directly contribute to raising the bar, ensuring Castle’s detection systems are resilient even in the most adversarial environments.

Benefits

• We pay US salaries globally
• Flexible work hours. We prioritize outcomes over hours spent
• Unlimited PTO. Take the time you need to recharge and maintain a healthy work-life balance
• Paid parental leave. Supporting new parents during their transition
• We’ll supply the computer and related gear you need to excel