Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 15/688,911 filed on 0/17/2021; Claims 1, 10, and 19 have been amended; Claims 1, 10, and 19 are independent claims.  Claims 1-20 have been examined and are pending. 
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. Werking, Kipman (Reg. No.: 60187) has agreed and authorized the Examiner to amend claims 1, 7, 10, 16, and 19.

Examiner’s Amendments
Claims
Replacing claims 1-20 as following:
1.	(Currently Amended) A computer-implemented method for preventing malicious applications from exploiting application services, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
identifying an attempt by an application, executing within a sandboxed environment that isolates the application’s data and code execution from at least one 
determining that the application represents a potential security risk using at least one of  a signature-based technique that matches a file name of the application to a database of known-malicious applications or behavioral heuristics that compare behavior of the application with behavior of known-malicious applications; 
prompting a user of the computing device to remediate the potential security risk posed by the application by performing a recommended security action that the sandboxed environment prevents a security application from performing autonomously; and
while waiting for the user to perform the recommended security action, the security application securing the computing device by utilizing the ActivityManager.killBackgroundProcesses method to automatically terminate the application service after the application has launched the application service;
wherein:
the identifying is performed by utilizing a kernel-level hook to identify a request to launch the application service prior to the request being granted; and 
the recommended security action comprises uninstalling or disabling the application such that the user is protected by preventing the application from sharing the private user data while waiting for the user to uninstall or disable the application. 



	3.	(Previously Presented) The computer-implemented method of claim 2, wherein the prompting is performed during installation of the security application. 

	4.	(Previously Presented) The computer-implemented method of claim 2, wherein the elevated privileges enable the security application to request and obtain information that identifies applications that are running on the computing device and/or services launched by such applications. 

5.	(Previously Presented) The computer-implemented method of claim 1, wherein the operating system comprises ANDROID.

6.	(Previously Presented) The computer-implemented method of claim 1, wherein identifying the attempt is performed through utilizing the ActivityManager class to interface with a kernel space of the operating system.

	7.	(Currently Amended) The computer-implemented method of claim 1, 
, 

wherein the sandboxed environment prevents the security application from automatically quarantining the application.

	8.	(Currently Amended) The computer-implemented method of claim 1, further comprising, if the application service cannot be automatically terminated, prompting the user to manually terminate the application that launched the application service. 

	9.	(Original) The computer-implemented method of claim 8, wherein prompting the user to manually terminate the application that launched the application service comprises periodically prompting the user to terminate the application until detecting that the user has successfully terminated the application. 

10.	(Currently Amended) A system for preventing malicious applications from exploiting application services, the system comprising:
an identification module, stored in a memory device, that identifies an attempt by an application, executing within a sandboxed environment that isolates the application’s data and code execution from at least one other application executing within an operating system on the system, to launch at least one application service that comprises a computing task, the application comprising a malware application and the computing task executing in a computing environment background to share private user data with an unauthorized recipient;

a notification module, stored in the memory device, that prompts a user of the system to remediate the potential security risk posed by the application by performing a recommended security action that the sandboxed environment prevents a security application from performing autonomously; 
a security module, stored in the memory device, that, while waiting for the user to perform the recommended security action, secures the system by utilizing the ActivityManager.killBackgroundProcesses method to automatically terminate the application service after the application has launched the application service; and 
at least one physical processor that executes the identification module, the determination module, the notification module, and the security module;
wherein:
the identification module identifies the attempt by utilizing a kernel-level hook to identify a request to launch the application service prior to the request being granted; and
the recommended security action comprises uninstalling or disabling the application such that the user is protected by preventing the application from sharing the private user data while waiting for the user to uninstall or disable the application. 



	12.	(Previously Presented) The system of claim 10, wherein the sandboxed environment prevents the security application from at least one of:
automatically quarantining the application; and
automatically uninstalling the application. 

	13.	(Previously Presented) The system of claim 10, wherein the attempt to launch the application service comprises an attempt to at least one of:
capture sensitive information; 
transmit sensitive information; and
access a malicious resource.

14.	(Previously Presented) The system of claim 10, wherein the attempt to launch the application service comprises an attempt to at least one of:
modify user data; 
generate a user prompt requesting elevated privileges; and 
generate an advertisement.


terminate the application; and
uninstall the application.

	16.	(Currently Amended) The system of claim 10, wherein 
	
the sandboxed environment prevents the security application from automatically quarantining the application.	

	17.	(Currently Amended) The system of claim 10, wherein the notification module prompts the user to manually terminate the application that launched the application service if the security module cannot automatically terminate the application service. 

	18.	(Original) The system of claim 17, wherein the notification module prompts the user to manually terminate the application that launched the application service by periodically prompting the user to terminate the application until detecting that the user has successfully terminated the application. 

identify an attempt by an application, executing within a sandboxed environment that isolates the application’s data and code execution from at least one other application executing within an operating system on the computing device, to launch at least one application service that comprises a computing task, the application comprising a malware application and the computing task executing in a computing environment background to share private user data with an unauthorized recipient;
determine that the application represents a potential security risk using at least one of a signature-based technique that matches a file name of the application to a database of known-malicious applications or behavioral heuristics that compare behavior of the application with behavior of known-malicious applications; 
prompt a user of the computing device to remediate the potential security risk posed by the application by performing a recommended security action that the sandboxed environment prevents a security application from performing autonomously; and
while waiting for the user to perform the recommended security action, secure the computing device by utilizing the ActivityManager.killBackgroundProcesses method to automatically terminate the application service after the application has launched the application service;
wherein:

the recommended security action comprises uninstalling or disabling the application such that the user is protected by preventing the application from sharing the private user data while waiting for the user to uninstall or disable the application.

	20.	(Previously Presented) The non-transitory computer-readable medium of claim 19, wherein the sandboxed environment prevents the security application from at least one of:
automatically quarantining the application; and
automatically uninstalling the application. 

Examiner's Statement of reason for Allowance
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The invention is directed a method/system/non-transitory computer readable media for preventing malicious applications from exploiting application services may include (i) identifying an attempt by an application, executing within a sandboxed environment that isolates the application's data and code execution from at least one other application executing within an operating system on the computing device, to launch at least one application service, (ii) determining that the application represents a potential security risk, (iii) prompting a user of the computing device to remediate the potential security risk posed by the application by performing a recommended security action, and (iv) while waiting for 
The closest prior arts are Bennett (“Bennett,” US 2009/0282485), Ivgi (“Ivgi,” US 2010/0122313), and Gnesda et al. (“Gnesda,” US 2014/0101757”) are generally directed including: identifying an attempt by an application, executing within a sandboxed environment that isolates the application’s data and code execution from at least one other application executing within an operating system on the computing device, to launch at least one application service that comprises a computing task, the application comprising a malware application and the computing task executing in a computing environment background to share private user data with an unauthorized recipient; determining that the application represents a potential security risk using at least one of  a signature-based technique that matches a file name of the application to a database of known-malicious applications or behavioral heuristics that compare behavior of the application with behavior of known-malicious applications; prompting a user of the computing device to remediate the potential security risk posed by the application while waiting for the user to perform the recommended security action, securing the computing device by blocking the attempt by the application to launch the application service.
However, none of Bennett, Ivgi, and Gnesda teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims 1, 10, and 19.  For examples, it failed to teach “prompting a user of the computing device to remediate the potential security risk posed by the application by performing a recommended security action that the sandboxed environment prevents a security application from performing autonomously; and while waiting for the user to perform the recommended security action, the security application securing the computing device by utilizing the ActivityManager.killBackgroundProcesses method to automatically terminate the application service after the application has launched the application service;” and “wherein: the identifying is performed by utilizing a kernel-level hook to identify a request to launch the application service prior to the request being granted; and the recommended security action comprises uninstalling or disabling the application such that the user is protected by preventing the application from sharing the private user data while waiting for the user to uninstall or disable the application.”
This feature in light of other features, when considered as a whole, in the independent claims 1, 10, and 19 are allowable over the prior arts of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”





Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380.  The examiner can normally be reached on Monday-Friday: 6:00 AM-3:30 PM, other Friday off.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
March 4th, 2021


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439