CyberBuddy is a gamified Android app that guides everyday users through personal cybersecurity using a Gemini A2A agent. Here's the full build story.
š šÆšš¶š¹š ššµš¶š šÆš²š°š®ššš² šš¼šŗš²š¼š»š² š®ššøš²š± šŗš² š® š¾šš²ššš¶š¼š» š š°š¼šš¹š±š»'š š®š»ššš²šæ š¶š» š® šŖšµš®šššš½š½ šŗš²ššš®š“š².
"How do I know if I am safe online?"
She was a student I mentor through Linfy Academy in Strand, Cape Town. Smart. Motivated. Using the same password for her email, her banking app, and her school portal.
There was no simple answer. So I built one.
šŖšµš®š š¶š šššÆš²šæššš±š±š?
CyberBuddy is an Android app that acts as a personal cybersecurity coach.
It guides users through building their own š£š²šæšš¼š»š®š¹ š¦š²š°ššæš¶šš š£š¹š®š» (PSP) - covering password health, device security, and two-factor authentication. It tracks daily security habits through streaks and badges. And it monitors whether your email has appeared in known data breaches.
The AI coaching layer is powered by šš²šŗš¶š»š¶ via an šš®š (šš“š²š»š-šš¼-šš“š²š»š) š®šæš°šµš¶šš²š°šššæš². More on that below.
šŖšµš¼ šš'š šš¼šæ
Most cybersecurity tools are built for enterprises with IT departments and budgets.
CyberBuddy is built for three people:
- The šššš±š²š»š who just got their first smartphone
- The š²š±šš°š®šš¼šæ managing a WhatsApp group for parents
- The š½šæš¼š³š²ššš¶š¼š»š®š¹ who knows their passwords are a problem but has no idea where to start
These are the people who get phished. These are the people whose credentials appear in breach databases. These are the people nobody is building for.
š§šµš² š§š²š°šµ š¦šš®š°šø
Language: Kotlin
UI: Jetpack Compose (Material3)
Architecture: Clean Architecture + MVVM
Database: Room (offline-first)
DI: Hilt
AI Layer: Gemini API via A2A Protocol
Testing: JUnit5 + Kotest (property-based)
Dev Tools: Gemini in Android Studio + Claude Code (JetBrains)
The architecture was designed to be offline-first from day one. Room handles all local state. Gemini enhances the experience - it does not gate it.
š§šµš² šš®š šš®šš²šæ (š§šµš¶š š¶š ššµš² š¶š»šš²šæš²ššš¶š»š“ š½š®šæš)
Instead of calling the Gemini API directly from every screen, I built a š¦š²š°ššæš¶ššš¢šæš°šµš²šššæš®šš¼šæ class that acts as the host agent.
It delegates structured tasks to a Gemini-powered coaching agent using Google's A2A protocol.
data class SecurityAgentTask(
val taskType: String, // "psp_guidance" | "breach_explain" | "daily_tip"
val userRole: String, // "student" | "professional" | "educator"
val context: Map<String, Any>
)
The benefit: the AI backend is completely decoupled from the Android layer. I can upgrade the Gemini model, swap the agent, or change the coaching logic without touching a single Compose screen.
That is the architectural decision I am most proud of.
šŖšµš®š šŖš²š»š šŖšæš¼š»š“
š. š š½šæš¼š½š²šæšš-šÆš®šš²š± šš²šš ššµš®š šš®šš“šµš šŗš² šŗš¼šæš² ššµš®š» š®š»š š¹š¶š»šš²šæ.
I was using Arb.string(minSize = 1, maxSize = 100) to generate random test inputs for the source field in breach results. The test asserted breach.source.isNotBlank(). It kept failing.
Turns out Kotest's string generator happily produces strings made entirely of whitespace. A string of spaces has a length of 1. It is not blank. Except it is.
One line fixed it:
val arbNonEmptyString = Arb.string(minSize = 1, maxSize = 100).filter { it.isNotBlank() }
74 tests passed before that fix. 75 after.
š®. šš š³š²š®šššæš²š šš®š»š š°š¼š»š»š²š°šš¶šš¶šš. š¬š¼ššæ ššš²šæš š±š¼š»'š š®š¹šš®šš šµš®šš² š¶š.
Designing for offline-first while shipping AI features is a real tension. My solution: Room is the source of truth. Gemini is the upgrade. If the agent call fails, the app still works.
š§šµš² šš²š šŖš¼šæšøš³š¹š¼š š§šµš®š ššµš®š»š“š²š± šš¼š š ššš¶š¹š±
I used two AI tools at different stages:
šš²šŗš¶š»š¶ š¶š» šš»š±šæš¼š¶š± š¦ššš±š¶š¼ for scaffolding. Boilerplate, A2A setup, Compose screens. Gemini knows the Android ecosystem deeply and moves fast.
šš¹š®šš±š² šš¼š±š² (šš²šššæš®š¶š»š š½š¹šš“š¶š») for polish. Edge cases, accessibility, ProGuard rules, test coverage gaps. Claude reads the full codebase and reasons about architecture, not just the current file.
Neither tool replaced thinking. Both tools compressed the time between thinking and shipping.
Before either tool touched the codebase, I wrote three spec files: mission.md, techstack.md, and roadmap.md. That is what kept the agents grounded.
šŖšµš®š'š š”š²š š
CyberBuddy is being presented at š£š²š š£šæš¼š·š²š°šš: š§šµš² š®š¬š®š² šš±š¶šš¶š¼š» - GDG Cape Town's mid-year showcase on 30 June 2026.
After that: Play Store release, closed beta with users from Strand and the IUS Africa youth network, and Supabase MCP integration for cross-device PSP sync.
šš³ šš¼š š®šæš² šÆšš¶š¹š±š¶š»š“ šš¼šŗš²ššµš¶š»š“ š³š¼šæ š½š²š¼š½š¹š² ššµš¼ š»š²š²š± š¶š, šš²š²š½ šÆšš¶š¹š±š¶š»š“.
El Roi sees the work.
šš¶š»š³š¼šæš± š ššš¶šš®šŗšÆš¼š±šš®
Founder, Linfy Tech Solutions | Strand, Cape Town
Top comments (0)