Peloton is looking to ensure the security of its connected fitness devices, including the Bike, Tread, and future products, by implementing industry best practices and safeguarding customer data.
Requirements
- Strong software development background with 7+ years experience writing code in languages like Java, Kotlin, Swift or Python.
- Android SDK: Proficient with the Android Software Development Kit (SDK), which covers the full app lifecycle, integration of permissions, manifest configurations, inter-app communication, user authentication, secure storage, and app signing practices.
- Android NDK: Solid grasp of the Android Native Development Kit (NDK) for analyzing and securing native code (C/C++), understanding JNI interactions, memory management, and mitigating native code vulnerabilities present in custom system components or high-performance apps.
- AOSP (Android Open Source Project): Understanding of Android platform internals, custom ROM development, system-level modifications, access control architecture, permission models, and relevant security configuration across OS layers.
- App Security and Assessment: Experience with tools for static and dynamic analysis (e.g., MobSF, Frida, Burp Suite), decompiling and reverse engineering APKs and shared libraries, vulnerability discovery and remediation, and OWASP MASVS or Mobile Top 10 standards.
- Framework and Native Interaction: Knowledge of how Java/Kotlin app layers communicate with underlying native components, including security issues introduced by third-party SDKs, native libraries, and IPC mechanisms.
- Familiarity with AWS cloud environments
Responsibilities
- Architectural Security Review: Perform in-depth security assessments and threat modeling of Peloton's hardware and software architecture, from the bootloader to the application layer.
- Developer Guidance: Provide guidance and education to engineering and product teams on available security controls and their appropriate use to help prevent vulnerabilities.
- Develop Security Guardrails: Design, build, and implement security controls, services, and frameworks to proactively prevent security vulnerabilities in our embedded/Android-based environment.
- Tooling & Automation: Build and deploy automated security tooling within the CI/CD pipeline/QA pipeline to integrate security seamlessly into the development lifecycle.
- Code & System Hardening: Collaborate directly with engineering teams to review code, identify security flaws, and provide concrete guidance for remediation.
- Identify potential vulnerabilities in embedded systems architecture
- Build robust security guardrails to protect Members' data and experience
Other
- Excellent problem-solving skills, with the ability to work independently and handle multiple tasks.
- The ability to drive clear next steps when encountering ambiguous spaces without clear lines of ownership
- Exhibits a results-oriented mindset, consistently delivering measurable improvements to the security posture of applications and systems.
- Excellent relationship building skills across diverse cross-functional teams.
- Exceptional written/oral communication skills
