Staff Product Security Engineer

About the role

Crunchyroll is growing and changing, presenting unique challenges and opportunities to support millions of anime fans around the world. The Fan Experiences Services & Tools team provides seamless help to our partners and internal stakeholders, ensuring an exceptional experience for all Crunchyroll fans.

Our charter is focused on helping our internal and external teams around the world integrate, test, and deploy the Crunchyroll applications quickly and with the highest levels of quality. We do this with tools and infrastructure that optimize the developer experience. We tie it all together with sophisticated automated testing and productivity solutions designed to support our culture of experimentation, autonomy and ownership. Our goal is to focus on delivering the best possible anime fan experience.

You will:

• Security Strategy & Leadership: Lead, mentor, and grow the Application Security team. Define the long-term roadmap for Mobile, Desktop, and Game security to proactively mitigate reverse engineering, piracy, and cheating.

• Binary Defense Architecture: Oversee the design and implementation of binary protection strategies. Direct the evaluation and integration of anti-tamper, obfuscation, and RASP solutions (e.g., Promon, Guardsquare) ensuring minimal impact on game FPS, app performance and user experience.

• Game Integrity & Anti-Cheat: Collaborate with game studios to design "server-authoritative" economies and implement client-side detections for memory manipulation, touch macros, and modded APKs.

• Trust & Identity Management: Architect robust chains of trust for the ecosystem. Manage code signing certificates, secure boot processes, and the integration of hardware-backed storage (TEE) for sensitive keys.

• Vulnerability Research & Validation: Lead internal or external "red team" initiatives using reverse engineering tools (IDA Pro, Frida) to simulate attacks against our apps and games. Validate the effectiveness of binary defenses and attestation checks before release.

• Content Protection Engineering: Collaborate with media engineering to harden DRM implementations (Widevine, FairPlay). Ensure secure handling of media keys and enforce output protection (HDCP).

In the role of Staff Product Security Engineer, you will report to the Senior Director of Fan Experience Engineering Service & Tools. We are considering applicants for the location of Dallas, Los Angeles, or San Francisco.

About You

We get excited about candidates, like you, because you have...

• Binary Application Construction: Solid understanding of how applications are constructed, including compilers, linkers, dynamic loaders, ABI interaction, and executable formats (ELF, Mach-O, PE).

• Game Engine & Anti-Cheat Security: Solid understanding of Unity (IL2CPP) and Unreal Engine security architectures. Experience designing defenses against game-specific attacks: memory editors (GameGuardian), speed hacks, wallhacks, and protecting asset integrity (AssetBundles).

• Cryptography & Chain of Trust: Comprehensive experience with cryptographic primitives (hashing, digests) and Public Key Infrastructure (PKI), including managing digital certificates and establishing chains of trust for code signing and secure boot.

• Anti-Tamper & Ecosystem: Proven track record evaluating and implementing commercial shielding (Promon, Guardsquare, Verimatrix) and platform attestation (Google Play Integrity, Apple App Attest) for both apps and games.

• Content Protection & DRM: Experience with Google Widevine, Apple FairPlay, and Microsoft PlayReady, including HDCP enforcement and screen recording prevention.

• Reverse Engineering & Analysis: Hands-on experience with tools (IDA Pro, Ghidra, Frida, Il2CppDumper) to simulate attacks, analyze game logic, and validate the resilience of binary protections.

• TBD: Mobile Security Standards: Relevant certifications OWASP MASVS and the OWASP Mobile Top 10, with the ability to map these standards to engineering roadmaps.

• Web & Network Security: Experience securing web standards within application contexts, including HTTPS/TLS, cookie security (Secure, HttpOnly, SameSite), local storage, and Content Security Policy (CSP).

• Hybrid App & WebView Security: Expert handling of WebView bridges (WKWebView), ensuring secure data exchange between native and web contexts.

• Hardware-Backed Security: Experience utilizing TEEs (Secure Enclave, TrustZone, TPM) for secure key storage, cryptographic operations, and offline license management.

• DevSecOps & Supply Chain: Experience automating security (SAST/DAST) within CI/CD pipelines and managing third-party SDK risks (supply chain attacks).

About the Team

The Fan Experiences Engineering team at Crunchyroll plays a pivotal role in enhancing and expanding our users' experiences. We collaborate extensively with a diverse network of device, payment, and gaming partners to broaden the reach of Crunchyroll's offerings. Our primary objective is to drive growth, open up new acquisition channels, and optimize both the scope and quality of our services. Situated at the crossroads of technology and business, we are dedicated to continually enabling experiences that delights our fans.

Why you will love working at Crunchyroll

In addition to getting to work with fun, passionate and inspired colleagues, you will also enjoy the following benefits and perks:

• Receive a great compensation package including salary plus performance bonus earning potential, paid annually.
• Flexible time off policies allowing you to take the time you need to be your whole self.
• Generous medical, dental, vision, STD, LTD, and life insurance
• Health Saving Account HSA program
• Health care and dependent care FSA
• 401(k) plan, with employer match
• Employer paid commuter benefit
• Support program for new parents
• Pet insurance and some of our offices are pet friendly!

#LifeAtCrunchyroll #LI-Hybrid