Senior Penetration Tester (Mobile Application & API Security)
Heirs Technologies · Lagos, Lagos State, Nigeria
Investment Management · 51-200 employees
About the role
Lead offensive security testing for mobile banking platforms and customer-facing APIs to identify vulnerabilities. Produce high-quality technical reports with proof-of-concept evidence and support secure design reviews for new features.
What they look for
Requirements
Requires at least 5 years of penetration testing experience, with 3 years specializing in mobile and API security. Must hold an OSCP certification and be proficient with tools like Frida, Objection, and Burp Suite.
Full description
About the Role
We are looking for an experienced Senior Penetration Tester – Mobile Application & API Security to lead offensive security testing of our mobile banking platform and customer-facing APIs.
In this role, you will be responsible for identifying security vulnerabilities across iOS and Android applications, mobile authentication, API security, reverse engineering, runtime protections, and the complete mobile-to-backend communication chain. Working closely with our Cyber Security team, you will ensure our mobile applications and APIs are secure, resilient, and aligned with industry best practices before reaching our customers.
Key Responsibilities
Mobile Application Security
• Conduct dynamic and static security assessments of iOS and Android applications.
• Perform penetration testing against the OWASP Mobile Top 10 and OWASP MASVS Level 2.
• Assess application security controls including:
• Runtime Application Self-Protection (RASP)
• Obfuscation
• Certificate Pinning
• Device Attestation
• Root/Jailbreak Detection
• Biometric Authentication
• Secure Storage
• Perform reverse engineering and identify weaknesses within mobile applications.
API Security Testing
• Perform security assessments of customer-facing REST APIs.
• Test applications against the OWASP API Top 10.
• Assess authentication, authorization, JWT implementation, session management, and API security controls.
• Perform automated and manual BOLA/IDOR testing.
• Validate encryption, MTLS implementation, and API schema enforcement.
Security Assessment & Reporting
• Produce high-quality penetration testing reports with proof-of-concept evidence, risk ratings, and remediation recommendations.
• Present findings to development and security teams.
• Support secure design reviews for new features.
• Retest remediated vulnerabilities and validate successful resolution.
Required Qualifications
Experience
• Minimum 5 years' hands-on penetration testing experience.
• At least 3 years' experience specialising in:
• Mobile Application Security (iOS & Android)
• API Security Testing
Technical Expertise
Strong hands-on experience with:
• Mobile application penetration testing
• Reverse engineering of Android and iOS applications
• OWASP MASVS Level 2
• OWASP Mobile Top 10
• OWASP API Top 10
• REST API Security
• JWT authentication
• Device attestation
• Certificate pinning
• Mobile authentication security
Tools
Experience using security testing tools such as:
• Burp Suite Professional
• Frida
• Objection
• MobSF
• jadx
• apktool
• Drozer
• Wireshark
• Proxyman
• Python scripting
Certifications
Required
• Offensive Security Certified Professional (OSCP)
Preferred
• EMAPT
• GMOB
• eWPT / eWPTX
Preferred Experience
• Mobile banking or financial services security
• Payment application security
• PCI-DSS environments
• RASP technologies
• FIDO2 / WebAuthn
• Behavioural fraud detection technologies
• Bug bounty participation
• Secure mobile authentication implementations
What We're Looking For
We're looking for a security professional who:
• Thinks like an attacker and uncovers complex vulnerabilities.
• Has strong analytical and problem-solving skills.
• Produces clear, high-quality technical reports.
• Communicates effectively with both technical and non-technical stakeholders.
• Demonstrates integrity and professionalism when handling sensitive systems.
• Keeps up to date with emerging mobile and API security threats and attack techniques.