A developer is designing a very sensitive web application that will be accessed by both desktop
web browsers and mobile Android applications. What is one way the developer can implement a
multi-factor authentication system for these users?

Which of the following is a disadvantage of using a static embedded API Key for client
authentication to a web service?

Which of the following defines why it is important for a developer to deploy known-good (whitelist)
input validation for all requests made to a web service API?

Once an Android client has authenticated to a web service, what must be done on the server-side
to ensure correct authorization checks are being performed?

Why must Android clients perform input validation on data received from publically accessible web
service API calls?

Which of the following is the primary reason for web services to output encode all data sent to
Android application clients?

What two types of input validation should a developer implement for a web server that will be
implementing SOAP-based web services? (Select TWO).

Why is it necessary to pass session tokens over a secure, encrypted channel?

Why should the Secure attribute be set on any session cookie sent to an Android application?

Which of the following describes the purpose of the HTTPOnly cookie attribute?