DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2018-09-12. Claims 1-20 are pending. Claims 1, 9, 15 is/are independent.

Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 2018-09-12 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.

Claim Objections
Claim(s) 7, 15-20 is/are objected to because of the following informalities: The examiner suggests the following corrections:
Claim 7:
Amend the claim to read, in part, as follows "and recording any other data values"
Claim 15:
Amend the claim to read, in part, as follows "A computer readable storage medium, tangibly embodying a program"
Dependent claims 16-20 are objected to for the reasons presented above with respect to objected claims 15 and in view of their dependence thereon.

Claim Rejections - 35 U.S.C. § 112
The following is a quotation of 35 U.S.C. § 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claim(s) 8 is/are rejected under 35 U.S.C. § 112(b) or 35 U.S.C. § 112 ¶ 2 (pre-AIA ) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
In claim 8 , the phrase "an API request implements a method to interface with a service provided by an Operating System of the mobile device, said determining one or more private values provided by the security-sensitive method comprising" (emphasis added) makes the claims indefinite and unclear in that it lacks antecedent basis.  This is the first mention of a "security sensitive method" or of any "determining one or more private values provided" by such a method.  Additionally, Examiner notes that confusion is likely to arise between "method" in the patent claim usage and "method" in the "API method call" usage as in Specification ¶ 0039-0040]1.  Applicant is encouraged to avoid such confusion whenever possible.

Summary of Claim Rejections under 35 U.S.C.§ 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.

Claim No.
Zonouz '682 in view of Sutton '118 
Zonouz '682 in view of Sutton '118 in view of Arad '885 
1
[Wingdings font/0xFC]


[Wingdings font/0xFC]

3
[Wingdings font/0xFC]

4
[Wingdings font/0xFC]

5
[Wingdings font/0xFC]

6

[Wingdings font/0xFC]
7

[Wingdings font/0xFC]
8
[Wingdings font/0xFC]

9
[Wingdings font/0xFC]

10
[Wingdings font/0xFC]

11
[Wingdings font/0xFC]

12
[Wingdings font/0xFC]

13
[Wingdings font/0xFC]

14

[Wingdings font/0xFC]
15
[Wingdings font/0xFC]

16
[Wingdings font/0xFC]

17
[Wingdings font/0xFC]

18
[Wingdings font/0xFC]

19
[Wingdings font/0xFC]

20

[Wingdings font/0xFC]


Claim Rejections - 35 U.S.C. § 103
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of AIA  35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-5, 8-13, 15-19 is/are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Publication 20200293682 to Zonouz et al. (hereinafter "Zonouz '682") in view of U.S. Publication 20200074118 to Sutton et al. (hereinafter "Sutton '118").  Zonouz '682 is prior art to .
Per claim 1 (independent):
Zonouz '682 discloses a method of repairing security vulnerabilities of an application running on a mobile device (protects sensitive data by tracking flows of data use [Zonouz '682 ¶ 0047-0050] by mobile app [Zonouz '682 ¶ 0049, 0059])
Zonouz '682 discloses monitoring, by a hardware processor running a mobile device application, an application program interface (API) request associated with a data access operation, said data access operation associated with a security vulnerability (intercepts ANDROID OS service calls amd API calls [Zonouz '682 ¶ 0069, 0058, 0091-0094, 0102-0103]; prevents leakage of sensitive data [Zonouz '682 ¶ 0047-0050])
Zonouz '682 discloses determining, using the hardware processor, one or more private values provided by the data access operation (protects sensitive data by tracking flows of data use [Zonouz '682 ¶ 0047-0050, 0057-0058, 0069-0070])
Zonouz '682 discloses tracking, for each determined private value, using the hardware processor, a use of the private value by said mobile device application (protects sensitive data by tracking flows of data use [Zonouz '682 ¶ 0047-0050, 0057-0058, 0069-0070])
Zonouz '682 discloses determining, by the hardware processor, from said tracked usage, whether a private value has been transformed in a manner associated with the security vulnerability (protects sensitive data by tracking flows of data use [Zonouz '682 ¶ 0047-0050, 0057-0058, 0069-0070])
Zonouz '682 does not disclose for each private value that has been transformed according to the security vulnerability, using the processor to modify the private value deemed a security vulnerability prior to an access by the mobile device application
However, Zonouz '682 discloses for each private value that has been transformed according to the security vulnerability, using the processor to block leakage of the private value deemed a security vulnerability prior to an access by the mobile device application (blocks operations that would leak of sensitive data [Zonouz '682 ¶ 0047-0050])
Further:
Sutton '118 discloses for each private value that has been transformed according to the security vulnerability, using the processor to modify the private value deemed a security vulnerability prior to an access by the mobile device application ("apply obfuscating techniques to the pointer so that no potentially private information is leaked through the URL" [Sutton '118 ¶ 0109])

for each private value that has been transformed according to the security vulnerability, using the processor to modify the private value deemed a security vulnerability prior to an access by the mobile device application
A person having ordinary skill in the art would have been motivated to combine them at least because obfuscating the sensitive value would allow execution to continue with relatively little disruption while still protecting the sensitive information from disclosure.  A person having ordinary skill in the art would have been further motivated to combine them at least because Sutton '118 teaches [Sutton '118 ¶ 0109] modifying a flow-tracking data loss prevention system [Zonouz '682 ¶ 0047-0050] such as that of Zonouz '682 to arrive at the claimed invention; because doing so constitutes use of a known technique (obfuscation and URL sanitizing  [Sutton '118 ¶ 0109]) to improve similar devices and/or methods (flow-tracking data loss prevention system [Zonouz '682 ¶ 0047-0050]) in the same way; because doing so constitutes applying a known technique (obfuscation and URL sanitizing  [Sutton '118 ¶ 0109]) to known devices and/or methods (flow-tracking data loss prevention system [Zonouz '682 ¶ 0047-0050]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (flow-tracking data loss 
Per claim 2 (dependent on claim 1):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Zonouz '682 discloses the data access operation comprises an operation for reading said private values from a specified source, said private values selected from the group of privacy-sensitive values comprising: a mobile device location, a mobile device identifier, a user name, a Web surfing habit, a mobile phone number, a WiFi network, and a carrier (reads sensitive location data from sensors [Zonouz '682 ¶ 0069, 0085])
Per claim 3 (dependent on claim 1):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Zonouz '682 discloses said determining whether the private value had been transformed includes detecting an operation for writing the private value to a location for storage in a memory storage unit ("prevent . . . sensitive data from being transmitted from the sink of the device to external untrusted parties  [Zonouz '682 ¶ 0008]; sink is, e.g., "network socket, a file, or a message"  [Zonouz '682 ¶ 0010])
Per claim 4 (dependent on claim 3):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 3 above, incorporated herein by reference
Zonouz '682 discloses said determining whether the private value had been transformed includes detecting an operation for sending said private value over a network connection to a specified network location ("prevent . . . sensitive data from being transmitted from the sink of the device to external untrusted parties  [Zonouz '682 ¶ 0008]; sink is, e.g., "network socket, a file, or a message"  [Zonouz '682 ¶ 0010])
Per claim 5 (dependent on claim 4):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 4 above, incorporated herein by reference
Zonouz '682 does not disclose said network location comprises a Uniform Resource Locator (URL), said determining whether the private value had been transformed comprises detecting an operation for appending a stored private value to said URL
Further:

For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Zonouz '682 of with the obfuscation and URL sanitizing of Sutton '118 to arrive at an apparatus, method, and product including:
said network location comprises a Uniform Resource Locator (URL), said determining whether the private value had been transformed comprises detecting an operation for appending a stored private value to said URL
Per claim 8 (dependent on claim 1):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Zonouz '682 discloses an API request implements a method to interface with a service provided by an Operating System of the mobile device, said determining one or more private values provided by the security-sensitive method comprising detecting, using the hardware processor, a private value associated with a security-sensitive service selected from a group of security-sensitive services comprising: a READ service, a WRITE service, an EXECUTE service, a DELETE service, a NETWORK CONNECT service, a PERMISSION CHANGE service (intercepts ANDROID OS service calls amd API calls [Zonouz '682 ¶ 0069, 0058, 0091-0094, 0102-0103]; prevents leakage of sensitive data [Zonouz '682 ¶ 0047-0050]; "prevent . . . sensitive data from being transmitted from the sink of the device to external untrusted parties  [Zonouz '682 ¶ 0008]; sink is, e.g., "network socket, a file, or a message"  [Zonouz '682 ¶ 0010])
Per claim 9 (independent):
Zonouz '682 discloses a memory storage device storing a program of instructions and a hardware processor device receiving said program of instructions to configure said hardware processor to (processor(s), memory, computer readable media, storage, executable instructions [Zonouz '682 ¶ 0146-0170])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 10 (dependent on claim 9):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 11 (dependent on claim 9):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 12 (dependent on claim 11):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 13 (dependent on claim 12):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 5 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 15 (independent):
Zonouz '682 discloses a computer readable storage medium, tangible embodying a program of instructions executable by a mobile computing device for configuring a hardware processor of said mobile computing device to run a method (processor(s), memory, computer readable media, storage, executable instructions [Zonouz '682 ¶ 0146-0170])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 16 (dependent on claim 15):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 17 (dependent on claim 15):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 18 (dependent on claim 17):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 17 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 19 (dependent on claim 18):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 18 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 5 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Claim(s) 6-7, 14, 20 is/are rejected under 35 U.S.C. § 103   as being unpatentable over Zonouz '682 in view of Sutton '118 in view of U.S. Publication 20180373885 to Arad et al. (hereinafter "Arad '885").  Arad '885 is prior art to the claims under 35 U.S.C. § 102(a)(2).
Per claim 6 (dependent on claim 5):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 5 above, incorporated herein by reference
Zonouz '682 does not disclose said tracking, for each determined private value, using the hardware processor, a use of the private value by said mobile device application comprises constructing a value derivation tree
However, Zonouz '682  discloses said tracking, for each determined private value, using the hardware processor, a use of the private value by said mobile device application comprises constructing a value derivation data model (records initial value, derived values, and operations [Zonouz '682 ¶ 0072, 0086-0089]; uses tree to search for sensitive/tainted values [Zonouz '682 ¶ 0083, 0132])
Further:
Arad '885 discloses said tracking, for each determined private value, using the hardware processor, a use of the private value by said mobile device application comprises constructing a value tree (stores confidential values in a tree structure [Arad '885 ¶ 0071, 0083])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Zonouz '682 of with the value tree data structure of Arad '885 to arrive at an apparatus, method, and product including:
said tracking, for each determined private value, using the hardware processor, a use of the private value by said mobile device application comprises constructing a value derivation tree
A person having ordinary skill in the art would have been motivated to combine them at least because the value tree data structure of Arad '885 would efficiently store and search the values, derived values, and operations that Zonouz '682 teaches should be stored.  A person having ordinary skill in the art would have been further motivated to combine them at least because Arad '885 teaches [Arad '885 ¶ 0071, 0083] modifying a flow-tracking data loss prevention system [Zonouz '682 ¶ 0047-0050] such as that of Zonouz '682 to arrive at the claimed invention; because doing so constitutes use of a known technique (value tree data structure [Arad '885 ¶ 0071, 0083]) to improve similar devices and/or methods (flow-tracking data loss prevention system [Zonouz '682 ¶ 0047-0050]) in the same way; because doing so constitutes applying a known technique (value tree data structure [Arad '885 ¶ 0071, 0083]) to known devices and/or methods (flow-tracking data loss prevention system [Zonouz '682 ¶ 0047-0050]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (flow-tracking data loss prevention system [Zonouz '682 ¶ 0047-0050] identifies operations and values that would expose sensitive data while value tree data structure efficiently stores and searches them [Arad '885 ¶ 0071, 0083[); (3) one of ordinary skill in the art would have 
Per claim 7 (dependent on claim 6):
Zonouz '682 in view of Sutton '118 in view of Arad '885 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
Zonouz '682 discloses said constructing a value derivation tree comprises recording a representation of each data access operation used to transform a private value in a memory storage unit; recording the private value data in the memory storage unit that have been subject to the transformation; and record any other data values used in the transformation (records initial value, derived values, and operations [Zonouz '682 ¶ 0072, 0086-0089])
Per claim 14 (dependent on claim 13):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 6 and 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 20 (dependent on claim 19):
Zonouz '682 in view of Sutton '118 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 6 and 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THEODORE C PARSONS/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        



    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 All references to Specification paragraphs herein use the numbering as published in U.S. Publication 20200082096.