DETAILED ACTION
This action is in response to new application filed 6/27/2019 titled “Methods and Devices for Context-Based String Analysis for Vulnerability Detection”. Claims 1-20 were received for consideration and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/02/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Yang et al “Show me the Money! Finding Flawed Implementations of Third-Party In-app Payment in Android Apps” (Listed on IDS filed 11/2/2020).
With respect to claim 1 Yang teaches a computer-implemented method of identifying potential vulnerabilities in a software package that includes two or more build files, the build files including at least an application file and one or more associated files (section IV.B: We combine pattern matching and dynamic testing techniques to detect KEY leakage in apps. We develop an automatic detecting tool based on AndroGuard to search leaked KEY in app adaptively against specific cashier. For WexPay, it adopts hash function with secret key to generate the message signature), comprising:
	scanning the application file to identify and extract a string from the application file; determining that the string is referenced in one of the associated files and
obtaining data associated with the string from the associated file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml));
classifying the string based, in part, on the data obtained from the associated file; 
determining a full context for the string based, at least in part, on the classification (section IV.B: The Web API offered by WexPay allows merchant to download the history bill of one day with three necessary parameters: appid, mch_id, and secret key. Therefore, we could leverage the appid and the mch_id to help identify the secret key. Notice that the features of these two parameters are apparent: the appid is a 18-byte 
	setting a relevance rank for the string based on the full context; and outputting the string and its relevance rank (section IV.B: And if all three parameters are correct (which means we find a leaked key in app), the Web API responds either the merchant’s real bill data, or “no bill exists” if no transaction happened on that day. Using this testing approach, we can effectively find leaked WexPay key in an app).

With respect to claim 2 Yang teaches the method of claim 1, wherein the data includes a new string to which the string is mapped in the associated file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml) and query the web API for the identity of the found parameters).

With respect to claim 3 Yang teaches the method of claim 1, wherein classifying is based on syntax or structure of the string (section IV.B: The Web API offered by WexPay allows merchant to download the history bill of one day with three necessary parameters: appid, mch_id, and secret key. Therefore, we could leverage the appid and the mch_id to help identify the secret key. Notice that the features of these two parameters are apparent: the appid is a 18-byte string with a wx prefix, and the mch_id is a 10-byte string comprised of digits only, and both two parameters are uniquely allocated to merchant).

With respect to claim 4 Yang teaches the method of claim 1, wherein classifying includes classifying into a class selected from defined classes, wherein the defined classes include at least one of URLs, email addresses, IP addresses, or key values (section IV.B: The secret key for message signing is a 32-byte string with arbitrary content shared with merchant and cashier).

With respect to claim 5 Yang teaches the method of claim 1, determining the full context includes determining the full context based on a use made, in the application file, of the data associated with the string (section IV.B: The Web API offered by WexPay allows merchant to download the history bill of one day with three necessary parameters: appid, mch_id, and secret key. Therefore, we could leverage the appid and the mch_id to help identify the secret key. Notice that the features of these two parameters are apparent: the appid is a 18-byte string with a wx prefix, and the mch_id is a 10-byte string comprised of digits only, and both two parameters are uniquely allocated to merchant).

With respect to claim 6 Yang teaches the method of claim 5, wherein the data associated with the string comprises a new string and wherein the use made is the use of the new string (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml) and query the web API for the identity of the found parameters).



With respect to claim 8 Yang teaches the method of claim 1, wherein the associated file comprises a resource file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml) and query the web API for the identity of the found parameters).

With respect to claim 9 Yang teaches the method of claim 8, wherein the resource file includes a string resource file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml), and query the web API for the identity of the found parameters).

With respect to claim 10 Yang teaches the method of claim 1, wherein outputting the string and its relevance rank includes outputting the string and the data associated with the string (section IV.B: And if all three parameters are correct (which means we find a leaked key in app), the Web API responds either the merchant’s real bill data, or “no bill exists” if no transaction happened on that day. Using this testing approach, we can effectively find leaked WexPay key in an app).

With respect to claim 11 Yang teaches A computing device for identifying vulnerabilities in a software package that includes two or more build files, the build files 
memory storing the build files (section IV.B: stored WexPay app); and
a software vulnerability analysis application stored in memory and containing instructions that (section IV.B: We combine pattern matching and dynamic testing techniques to detect KEY leakage in apps. We develop an automatic detecting tool based on AndroGuard to search leaked KEY in app adaptively against specific cashier. For WexPay, it adopts hash function with secret key to generate the message signature), when executed by the one or more processors , are to cause the processors to:
	scan the application file to identify and extract a string from the application file; determine that the string is referenced in one of the associated files and
obtaining data associated with the string from the associated file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml));
classify the string based, in part, on the data obtained from the associated file; 
determine a full context for the string based, at least in part, on the classification (section IV.B: The Web API offered by WexPay allows merchant to download the history bill of one day with three necessary parameters: appid, mch_id, and secret key. Therefore, we could leverage the appid and the mch_id to help identify the secret key. Notice that the features of these two parameters are apparent: the appid is a 18-byte string with a wx prefix, and the mch_id is a 10-byte string comprised of digits only, and both two parameters are uniquely allocated to merchant) and (section IV.B: The secret 
	set a relevance rank for the string based on the full context; and output the string and its relevance rank (section IV.B: And if all three parameters are correct (which means we find a leaked key in app), the Web API responds either the merchant’s real bill data, or “no bill exists” if no transaction happened on that day. Using this testing approach, we can effectively find leaked WexPay key in an app).

With respect to claim 12 Yang teaches the computing device of claim 11, wherein the data includes a new string to which the string is mapped in the associated file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml) and query the web API for the identity of the found parameters).

With respect to claim 13 Yang teaches the computing device of claim 11, wherein classifying is based on syntax or structure of the string (section IV.B: The Web API offered by WexPay allows merchant to download the history bill of one day with three necessary parameters: appid, mch_id, and secret key. Therefore, we could leverage the appid and the mch_id to help identify the secret key. Notice that the features of these two parameters are apparent: the appid is a 18-byte string with a wx prefix, and the mch_id is a 10-byte string comprised of digits only, and both two parameters are uniquely allocated to merchant).



With respect to claim 15  Yang teaches the computing device of claim 11, wherein the instructions, when executed, are to further cause the processors to determine the full context by determining the full context based on a use made, in the application file, of the data associated with the string (section IV.B: The Web API offered by WexPay allows merchant to download the history bill of one day with three necessary parameters: appid, mch_id, and secret key. Therefore, we could leverage the appid and the mch_id to help identify the secret key. Notice that the features of these two parameters are apparent: the appid is a 18-byte string with a wx prefix, and the mch_id is a 10-byte string comprised of digits only, and both two parameters are uniquely allocated to merchant) and (section IV.B: The secret key for message signing is a 32-byte string with arbitrary content shared with merchant and cashier).

With respect to claim 16 Yang teaches the computing device of claim 15, wherein the data associated with the string comprises a new string and wherein the use made is the use of the new string (section IV.B: We can first locate strings with similar features 

With respect to claim 17 Yang teaches the computing device of claim 11, wherein the application file includes a binary or executable file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml)).

With respect to claim 18 Yang teaches the computing device of claim 11, wherein the associated file comprises a resource file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml) and query the web API for the identity of the found parameters).

With respect to claim 19 Yang teaches the computing device of claim 18, wherein the resource file includes a string resource file (section IV.B: We can first locate strings with similar features in DEX file and resource file (strings.xml) and query the web API for the identity of the found parameters).

With respect to claim 20 Yang teaches the computing device of claim 11, wherein the instructions, when executed, are to further cause the processors to output the string and its relevance rank by outputting the string and the data associated with the string section IV.B: And if all three parameters are correct (which means we find a leaked key in app), the Web API responds either the merchant’s real bill data, or “no bill exists” if no .

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492