Why dual-narrative?
Every defensive control has a corresponding offensive playbook. Reading them apart leaves gaps that an attacker walks through. Reading them together is the only honest threat model.
🛡️ Defender
How a specific security control is actually built, the API, the constraint, the
invariant that makes it hold. Real Kotlin and TypeScript, not pseudocode.
⚔️ Attacker
Where the same control breaks: the seven Bypass-N scenarios, the assumptions you have
to keep audit-tight, the silent failure modes you'd miss without thinking hostile.
Hands-on codelabs
Twenty-eight step-based codelabs derived from the same material, all fully authored end-to-end (beginner, intermediate, and advanced tracks), covering the full spectrum of Android security and offensive bypasses.
The defender's core arc, read in this order: OWASP Mobile Top 10 → Stateless auth → Hardware vault → Interceptor pattern → Network warfare → Device attestation → Biometric hardening → Overlay attacks.
Documentation library
A full pt-BR translation of every chapter ships alongside.
The app
Fortress Bank, a fintech demo where every defensive surface is visible to the user.
A SecurityChip in the app bar shows live integrity verdicts; sensitive flows step-up via
BiometricPrompt bound to a fresh challenge; a hidden Dev Mode simulates attacks so each
control can be seen reacting in real time.
Splash · Onboarding · Login · Biometric Unlock · Home · Cards · Add Card · Scan · Analytics · Profile · Accounts · Account Detail · Transfer · Transfer Keypad · Security Center · Dev Mode