Peloton is looking to ensure their applications, devices, and systems are implemented and secured with industry best practices, safeguarding the software and hardware that power their connected fitness devices and protecting Member data and experience.
Requirements
- Strong software development background with 7+ years experience writing code in languages like Java, Kotlin, Swift or Python.
- Proficient with the Android Software Development Kit (SDK), which covers the full app lifecycle, integration of permissions, manifest configurations, inter-app communication, user authentication, secure storage, and app signing practices.
- Solid grasp of the Android Native Development Kit (NDK) for analyzing and securing native code (C/C++), understanding JNI interactions, memory management, and mitigating native code vulnerabilities present in custom system components or high-performance apps.
- Understanding of Android platform internals, custom ROM development, system-level modifications, access control architecture, permission models, and relevant security configuration across OS layers.
- Experience with tools for static and dynamic analysis (e.g., MobSF, Frida, Burp Suite), decompiling and reverse engineering APKs and shared libraries, vulnerability discovery and remediation, and OWASP MASVS or Mobile Top 10 standards.
- Knowledge of how Java/Kotlin app layers communicate with underlying native components, including security issues introduced by third-party SDKs, native libraries, and IPC mechanisms.
- Familiarity with cryptography, secure storage, authentication methods (OAuth, JWT, biometrics), certificate pinning, and networking security (TLS/SSL), avoiding risky APIs, and enforcing proper app sandboxing.
Responsibilities
- Perform in-depth security assessments and threat modeling of Peloton's hardware and software architecture, from the bootloader to the application layer.
- Provide guidance and education to engineering and product teams on available security controls and their appropriate use to help prevent vulnerabilities.
- Design, build, and implement security controls, services, and frameworks to proactively prevent security vulnerabilities in our embedded/Android-based environment.
- Build and deploy automated security tooling within the CI/CD pipeline/QA pipeline to integrate security seamlessly into the development lifecycle.
- Collaborate directly with engineering teams to review code, identify security flaws, and provide concrete guidance for remediation.
- Be hands-on in developing secure coding practices and hardening our systems.
Other
- The ideal candidate is a proven engineering leader that has both exemplary engineering and communication skills.
- They have extensive experience collaborating with internal engineering partners.
- Excellent problem-solving skills, with the ability to work independently and handle multiple tasks.
- The ability to drive clear next steps when encountering ambiguous spaces without clear lines of ownership
- Exhibits a results-oriented mindset, consistently delivering measurable improvements to the security posture of applications and systems.
