Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The response of 12/18/2020 was received and considered.
Claims 25-43 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/18/2020 has been entered.
 
Response to Arguments
Applicant's arguments filed 12/18/2020 have been fully considered but they are not persuasive.
Applicant’s remarks (pp. 9-10) points to the amended limitations in support of allowability.  Applicant states: 
“In particular, claim 25 recites that in response to "receiving a request from the second application to access information requiring use of a permission from a first application," a determination is made as to "whether said second application is operating in accordance with at least one rule associated with said permission and in accordance with the mapping of said permission such that the mapping indicates said permission complies with the function calls made by the second application." 

“Claim 25 also recites, "creating at least one new rule, the at least one new rule defined such that use of one or more additional permissions is blocked in response to a 

“Applicant respectfully submits that the cited art applied in the Office Action, Bugiel, Nauman, Borghetti, Jain, Corby, Jain '465, Mathur, and Samteladze, does not address "determining whether said second application is operating in accordance with at least one rule associated with said permission and in accordance with the mapping of said permission such that the mapping indicates said permission complies with the function calls made by the second application" and "creating at least one new rule," as recited in claim 25.”

“However, in Jain '465 there is no determination about "whether said second application is operating in accordance with at least one rule associated with said permission and in accordance with the mapping of said permission such that the mapping indicates said permission complies with the function calls made by the second application" as in claim 25.”


However, Bugiel discloses determining if an application has been given a permission to perform an operation (for example, p. 6, ¶¶1-2 discloses restricting an application without a network permission from accessing other networked applications, similarly to the instant specification).  As discussed previously, Mathur is cited for teaching a system enabling a user to assign custom permissions for an application, as opposed to an all-or-nothing approach provided by developers (Mathur, ¶¶13-14) and Jain ‘465 teaches a system for determining the features and permissions actually used by an application (col. 1, line 67 – col. 2, line 15), including executing the application (executing function calls) and recording requested permissions (col. 7, lines 64-65, col. 8, lines 47-62) for the purposes of removing unused permissions (col. 9, lines 63-66).  Therefore, the Examiner maintains that Bugiel provides a framework that, when modified by Mathur and Jain ‘465 as discussed in the rejection, enables Bugiel to determine whether an application is operating in accordance with at least one rule associated with said permission (based on Bugiel) and in accordance with the mapping of said 

Applicant’s remarks (p. 10) argues that “the ability for a user to specify finer-grained application permission, as taught by Mathur, does not address the claim 25 features related to "creating at least one new rule, the at least one new rule defined such that use of one or more additional permissions is blocked in response to a determination that the one or more additional permissions does not comply with additional mappings of the plurality of requested permissions to function calls made by the second application."”  However, Bugiel teaches monitoring an application for permissions not approved (p. 6, ¶¶1-2).  Further, Mathur teaches a framework for teaching a system enabling a user to assign custom permissions for an application, as opposed to an all-or-nothing approach provided by developers (Mathur, ¶¶13-14) and Jain ‘465 teaches a system for determining the features and permissions actually used by an application (col. 1, line 67 – col. 2, line 15), including executing the application (executing function calls) and recording requested permissions (col. 7, lines 64-65, col. 8, lines 47-62) for the purposes of removing unused permissions (col. 9, lines 63-66).  As modified in the rejection, the prior art teaches creating rules (per Mathur to be enforced by Bugiel) defined such that use of permissions is blocked in response to a determination that the one or more additional permissions does not comply with additional mappings (as per Jain ‘465) of the plurality of requested permissions to function calls made by the second application.  A skilled artisan would have found it obvious to create new rules to restrict the applications to using those expected permissions found in Jain ‘465 (creating rules in the system refusing permissions that should not be necessary for the second application’s execution).

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 25-43 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
Using claim 25 as a representative claim, the claim recites “analyzing operation of a second application to identify function calls made by the second application during operation; receiving a request from the second application to access information requiring use of a permission from a first application” and “mapping said permission to one or more of the function calls made by the second application” (emphasis added).  However, the specification does not enable such a mapping.  The specification describes monitoring an application based on “rules” and then provides a plurality of potential rules throughout the disclosure.  One example given is “the behaviour of the app or a check as to whether the app is only using permissions it has been granted is not only checked at the point of opening the app, but the behaviour is monitored for a period of time during run-time to check that the app is operating according to the defined rules.  This may prevent an app from initially running according to defined rules, and then subsequently contravening those rules a period of time after the app has 
“Alternatively, or in combination, "overprivilege" (e.g. excessive or non-permitted use of permissions) by applications can be detected.  For example the number of API (Application Programming Interface) calls that an application uses can be determined, and those API calls can then be mapped to permissions. Over time a permissions map can be automatically built, which can subsequently be used to detect overprivilege.  

In some embodiments the application behaviour can be first analysed in a "sandbox" environment (e.g. isolated from other software on the user equipment) and then the 25 request permissions can be mapped to the function calls that the program has made during "normal" operation. If there are permissions that the app requests but doesn't appear to need (for example a "weather" app requesting access to an email account of a user), then rules can be defined that will block the use of those permissions. In some embodiments the user might have to approve the permissions 30 during installation in order to get the app working.”

Thus, the specification enables monitoring an application for overprivilege by monitoring function calls of the application to determine permissions required for the function calls (for permission requests) to determine requests for permissions that are not approved permissions, where the list of approved permissions can originate by mapping function calls that an application normally uses to their respective permissions.  However, the specification fails to enable a skilled artisan to make and/or use an invention that maps the permission received as part of the request back to the function calls made by the application.  

The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 25-43 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 25, 33 and 41, the limitation “the plurality of requested permissions” (last paragraph of the claims) lacks sufficient antecedent basis.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 25-31, 33-39 and 41-42 are rejected under 35 U.S.C. 103 as being unpatentable over “XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks” by Bugiel et al. (Bugiel), Nauman), US 2015/0106940 A1 to Borghetti et al. (Borghetti), US 2011/0276951 A1 to Jain, US 2006/0090192 A1 to Corby et al. (Corby), US 9,665,465 B1 to Jain et al. (Jain ‘465) and US 2012/0209923 A1 to Mathur et al. (Mathur).
Regarding claim 25, Bugiel discloses receiving a request from a second application to access information requiring use of a permission from a first application (intercept ICC call from first application to second application, p. 5, §4.2 to use first application and permissions associated with the first application), said first and second applications installed on a user equipment (p. 5, Fig. 3); in response to said request, determining whether said second application is operating in accordance with at least one rule associated with the permission (determines if application has been given permission and to ensure the link complies with security policy, p. 5, §4.2; see also p. 6, ¶¶1-2, discussing restricting an application without a permission from accessing other networked applications).  Bugiel lacks the rule associated with said permission.  However, Nauman teaches that it is known for a developer to introduce constraints on which applications may call a component using intents (§3, under Example 1) and for a user to establish dynamic constraints specifying conditions under which a calling application would be given permission to access a called application (§3.1, ¶1 and Example 4).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Bugiel such that the constraints are associated with the requested application and permissions associated therewith.  One of ordinary skill in the art would have been motivated to perform such a modification to enable a user or developer to have control over use of an application by another, as taught by Nauman.  As modified, Bugiel lacks monitoring, based on the at least one rule associated with said permission, behavior of the second application, said monitoring including a period of time during run-time of the second application.  However, Nauman teaches that a policy can provide permissions dynamically based on an application state (§3.1, specifically under Definition 8 and from Definition 10 to 
Regarding claims 26 and 34, Bugiel discloses wherein said method comprises providing said information to said second application when it is determined that said second application is operating in accordance with said at least one rule (allow ICC call, p. 5, §4.2).
Regarding claims 27 and 35, Bugiel discloses wherein said method comprises denying said information to said second application when it is determined that said second application is not operating in accordance with said at least one rule (deny ICC call, p. 5, §4.2).
Regarding claim 33, the claim is similar in scope to claim 25 and is therefore rejected using a similar rationale.
Regarding claims 28-31 and 36-39, Bugiel is silent regarding wherein said at least one rule is at least one of: defined by a developer of said first application or defined by a user of said user equipment.  However, Nauman teaches that it is known for a developer to introduce constraints on which applications may call a component using intents (§3, under Example 1) and for a user to establish dynamic constraints specifying conditions under which a calling application would be given permission to access a called application (§3.1, ¶1 and Example 4).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Bugiel 
Regarding claim 41, the claim is similar in scope to claim 25 and is therefore rejected using a similar rationale.
Regarding claim 42, Bugiel, as modified above, teaches wherein when it is detected that said application contravenes said at least one rule, said at least one processor and said at least one memory are configured to cause the apparatus to at least one of: alert a user (Borghetti, ¶59); and/or halt said application (block ICC call, Bugiel, p. 5, §4.2).  See also Jain, ¶51.

Claims 32, 40 and 43 are rejected under 35 U.S.C. 103 as being unpatentable over Bugiel, Nauman, Borghetti, Jain, Corby, Jain ‘465 and Mathur, as applied to claims 31, 39 and 43 above, in further view of “DELTA: Delta Encoding for Less Traffic for Apps” by Samteladze et al. (Samteladze).
Regarding claims 32, 40 and 43, Bugiel, as modified above, teaches monitoring behavior of said second application for a period of time (see above with respect to Bugiel, as modified by Nauman and Borghetti), wherein at least one of the first application and the second application is an application downloaded wirelessly to the user equipment (application permission downloaded to mobile device, §1  ¶1, §3 ¶1, where the device is an Android device and application is downloaded via Android market), but lacks wherein the at least one rule is automatically created by said user equipment based on permission the user has previously allowed.  However, Samteladze describes Android app updating, where an updated app is automatically granted permissions as long as the requested permissions are the same as the original app (§III, A, where the original app is installed and previously assigned permissions by the user).  Therefore, it would have been obvious to one having ordinary skill in the art 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841.  The examiner can normally be reached on Monday - Friday, 7:00-3:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-38623862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Michael Simitoski/               Primary Examiner, Art Unit 2493                                                                                                                                                                                         
February 11, 2021