To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts.
Job Category
Product
Job Details
The ExperienceThe Product Security team is seeking a Mobile Security Engineer who will own the security posture of Salesforce's mobile application portfolio — spanning many distinct apps and mobile Software Development Kits (SDKs) across iOS and Android for nearly every Cloud and acquisition. You'll be the dedicated technical owner for mobile application security testing, vendor-managed mobile scanning platforms, and security design reviews for mobile features, working at the intersection of mobile platform security and product engineering. Your work will directly protect the apps that millions of customers interact with daily, from the Salesforce flagship app to Tableau Mobile, Field Service, Trailhead, and Mobile Publisher. Join a team committed to ensuring every mobile release ships with validated security controls and that runtime protection, authentication flows, and binary hardening meet the highest standards.
What You'll Actually Be DoingPerform manual and automated security assessments of iOS and Android applications, including binary reverse engineering, dynamic instrumentation, authenticated scanning, and review of OAuth/PKCE flows, certificate pinning implementations, and jailbreak/root detection controls.
Operate and expand the mobile scanning platform across the mobile app portfolio, manage pre-production Continuous Integration/Continuous Delivery (CI/CD) pipeline integration, configure scanning rulesets, triage findings, and coordinate quarterly with external penetration testing vendors.
Conduct secure code reviews across Swift, Kotlin, Java, and React Native mobile codebases, embed security controls in mobile SDKs and feature development, and lead threat modeling sessions for mobile-specific attack surfaces including on-device AI, app attestation, and deep linking.
Provide mobile security guidance to engineering teams across all Clouds, translate mobile findings into actionable remediation, respond to customer compliance questionnaires, and serve as the mobile security subject-matter expert for release planning and incident response.
Build and ship high-quality, production-grade security tooling and automation using modern engineering practices, with AI as a core part of your development workflow — pushing the boundaries of AI development tools to deliver secure, optimized, and high-quality code.
Design and orchestrate complex systems where AI agents integrate seamlessly into security workflows, driving efficiency and innovation at scale.
Contribute to building and maintaining shared system context — an explicit repository of system designs, constraints, and standards that enables AI to operate accurately and reliably. Critically evaluate code (human- or AI-generated) for correctness, quality, security, and performance.
You're Our Person If...
You have 2+ years in application security, mobile security testing, or mobile development with demonstrated knowledge of iOS and Android platform security models, the Open Web Application Security Project (OWASP) Mobile Top 10, and common mobile vulnerability classes.
You have hands-on experience with the mobile platform toolchain (Xcode/Android Studio)
Familiarity with security testing tools such as Frida, NowSecure, objection, MobSF, Burp Suite, or commercial mobile Static/Dynamic Application Security Testing (SAST/DAST) platforms.
You have an understanding of mobile authentication patterns (OAuth 2.0, PKCE, SAML), runtime protection mechanisms (code obfuscation, anti-hooking, anti-tampering), and app store ecosystem security considerations for both Apple and Google Play.
You have strong communication skills with the ability to explain mobile-specific risks to engineering partners who may not have mobile security context.
You bring a demonstrated, genuine AI-first approach to engineering — using AI to move faster, build fluency across the stack, and contribute well beyond your core specialty.
You have experience using AI tools (e.g., Claude Code, GitHub Copilot, Codex, Cursor, etc.) in development workflows.
You have advanced prompt engineering skills and the ability to write precise, structured prompts and cultivate the system context that makes AI outputs reliable, secure, and production-ready.
A related technical degree required.
Even Better If...You have experience evaluating mobile runtime protection tools such as Promon, DexGuard, or similar Runtime Application Self-Protection (RASP) solutions on jailbroken or rooted devices.
You hold mobile-focused security certifications such as GIAC Mobile Device Security Analyst (GMOB), or general offensive certifications such as Offensive Security Certified Professional (OSCP) or Offensive Security Web Expert (OSWE) with demonstrated mobile testing experience.
You have active participation in mobile bug bounty programs (HackerOne, Bugcrowd), published mobile security research, Common Vulnerabilities and Exposures (CVE) disclosures, or contributions to open-source mobile security tools.
You have experience with mobile CI/CD pipelines, automated binary scanning integration, or familiarity with the Salesforce ecosystem and applying AI tools such as Claude, Cursor, or Gemini for security assessments.
At Salesforce, we believe in equitable compensation practices that reflect the dynamic nature of labor markets across various regions.
The typical base salary range for this position is $117,200 - $176,700 annually. In select cities within the San Francisco and New York City metropolitan area, the base salary range for this role is $141,200 - $194,200 annually.
The range represents base salary only, and does not include company bonus, incentive for sales roles, equity or benefits, as applicable.