DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is in response to the amendments filed on 12/13/2021. Claims 1, and 11 have been amended. Claims 1-6, 8-16, and 18-22 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see pages 6-7, filed 12/13/2021, with respect to the rejections of claims 1-6, 8-16, and 18-22 under 35 U.S.C. 112(a), have been considered and are persuasive. The rejection has been withdrawn.
Applicant’s arguments, see pages 6-7, filed 12/13/2021, with respect to the rejections of claims 1-6, 8-16, and 18-22 under 35 U.S.C. 112(b), have been considered but are not persuasive. The rejection is maintained.
On page 9 of Remarks, Applicant asserts that the language of Claims 1 and 11 is clear on its face since the plain meaning of the limitation "the customization data comprising at least one or more cryptographic keys specific to communication with at least one of a given service provider of the plurality of service providers or a user of the mobile device," recited in independent Claims 1 and 11, is that the customization data comprises one or more cryptographic keys specific to: (1) communication with a given service provider of the plurality of service providers; (2) communication with a user of the mobile device; or (3) both communication with the given service provider of the plurality of service providers and communication with the user of the mobile device. The Examiner respectfully disagrees.
communication with …” (emphasis added) Generally, communication takes place between more than two parties (i.e., devices), and as Applicant stated in the Remarks, a person of ordinary skill in the art would not construe cryptographic keys as, themselves, capable of performing an act of communication. However, the claim does not recite a counterpart to have communication with a given service provider of the plurality of service providers or a user of the mobile device.” Thus, it is unclear as to how a given service provider of the plurality of service providers or a user of the mobile device can have communication alone.
 
Applicant’s arguments, see pages 7-10, filed 12/13/2021, with respect to the rejections of claims 1-6, 8-16, and 18-22 under 35 U.S.C. 103, have been considered but are not persuasive. The rejection is maintained. 
On page 8 of Remarks, Applicant asserts that First, Applicant cannot see how Jackson is relevant. … Jackson, on the other hand, relates to discovering, authenticating, and authorizing devices and/or users that are located within an environment that is or may become disconnected from the Internet and/or other ground-based networks, such as a moving vehicle, and particularly an airplane in flight. The Examiner respectfully disagrees.
	Jackson describes that the instant disclosure generally relates to authenticating client applications to services (see para. [0002]); the discovery service 105 may provide the generated session key and the address of Service C 208 c (e.g., the service's URL or Uniform Resource Locator, IP address, or similar service address) to the client application 210 (reference 245), and the discovery service 105 may notify the service 208 c of the generated session key (reference 248). Subsequently, the client application 210 may utilize the session key and the address of Service C 208 c to access the service's API (reference 250) to establish a secure communication session with the service 208 c and access thereto (see para. [0002]). That is, Jackson relates to authenticating client applications using the 

On pages 8-9 of Remarks, Applicant asserts that Jackson does not disclose "in response to the user of the mobile device accessing the customization server independently of the mobile device. The Examiner respectfully disagrees.
In this regard, the claim does not define as to what the limitation “the user” exactly indicates. Thus, for the sake of examination, “the user” is interpreted as a person who uses the mobile device. In addition, the claim does not specify as to how a person (i.e., the user) accesses the customization server independently of the mobile device to receive authentication data. Moreover, it would not be obvious to a person of ordinary skill in the art that a human (i.e., person) could receive data from a server without using a device (e.g., an interface). Thus, the limitation “the user … independently of the mobile device” can be interpreted, for example, as the user (via the mobile device) independently of (what the state of) the mobile device (may be). 
Meanwhile, Jackson describes that, for example, upon reception of the local service request 238 from the client application 210, the discovery service 105 may determine … (see para. [0047]); a user may … receive services from an environment service provider… and may utilize his or her personal device (e.g., tablet, laptop, phone, smart device, e-reader, etc.) to access those services … (see para. [0020]). That is, Jackson teaches that upon reception of the request a user of a personal device accesses the discovery service via the client application without regard to what the state of the personal device may be, and which also teaches "… the user of the mobile device accessing … independently of the mobile device.” 

On page 9 of Remarks, Applicant asserts that a denial of services cannot properly be equated with Applicant's claimed "authorization data" that, contrastingly, enables the receipt of customization data. 
 have been considered but are moot because the arguments do not apply to the reference being used in the current rejection. The Examiner notes that the scope of the claim has been changed by the amendment. For example, the previous claim recited “providing the authorization data from the customization server … to obtain…”. That is, the previous claim did not specify a destination to which the data is provided. However, the amended claim recites “providing the authorization data to the user from the customization server … to receive…” That is, the amended claim newly specifies a destination (i.e., the user) to which the data is provided. Thus, the scope of the claim has been changed, whereby a new ground of rejection necessitated as will be stated below. 

On page 9 of Remarks, Applicant asserts that Jackson does not disclose "receiving the authorization data from the mobile device.” The Examiner respectfully disagrees.
In this regard, Jackson describes that client application 210 requests local service(s) (reference 238) by sending a service request to the discovery service 105 …. Included in the request 238 may be, for example, … an authentication token …; Upon receipt of the local service request 238, the discovery service 105 may authenticate and/or authorize (reference 240) the client application 210 to verify or ensure the credentials of the client application 210. (see paras. [0045]-[0046]) That is, the discovery service 105 receives an authentication token from client application 210, and upon receipt of the authentication token, the discovery service 105 may authenticate and/or authorize (reference 240) the client application 210. Here, the client application 210 teaches the mobile device, and an authentication toke for authorization teaches the authorization data. 
Meanwhile, the claim does not specify what is a receiving party of the authorization data. Thus, for the sake of examination, it is interpreted as any party is a receiving party. In addition, the claim does not define as to what is the authorization data. Thus, for the sake of examination, 

The Examiner notes that Applicant's amendment necessitated the new ground(s) of rejection under 35 USC § 112 and 35 USC § 103 as will be discussed below.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-6, 8-16, and 18-22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 1 recites the limitation “the customization data comprising at least one or more cryptographic keys specific to communication with at least one of a given service provider of the plurality of service providers or a user of the mobile device” in lines 5-7. It is unclear as to what is meant by this limitation. In other words, the claim recites “cryptographic keys specific to communication with …” (emphasis added) Generally, communication takes place between more than two parties (i.e., devices), and as Applicant stated in the Remarks, a person of ordinary skill in the art would not construe cryptographic keys as, themselves, capable of performing an act of communication. However, the claim does not recite a counterpart to have communication with a given service provider of the plurality of service providers or a user of the mobile device.” Thus, it is unclear as to how a given service provider of the plurality of service providers or a user of the mobile device can have communication alone.
Claim 11 recites the same limitation as the limitation recited in claim 1 discussed above. Thus, claim 11 is rejected by applying the same rationale used to reject claim 1 above.
Claims 2-6, and 8-10 are rejected under 112(b) as being dependent from the rejected claim 1, and claims 12-16, and 18-22 are rejected under 112(b) as being dependent from the rejected claim 11.
 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 5, 6, 8, 10, 11, 15, 16, 18, 20 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al. (US2017/0295154 A1; hereinafter, “Jackson”) in view of Bronshtein et al. (US 9,774,590 B1; hereinafter “Bronshtein”)

Regarding claim 1:
Jackson teaches:
(para. [0002]: The instant disclosure generally relates to authenticating client applications to services; para. [0070]: In an embodiment, the computing device on which the client application is executing is a mobile computing device, such as a tablet, laptop, smart phone, or other smart device; para. [0045]: At some point in time after the respective registration and authentication of local services 208 a, 208 c, client application 210 may request (reference 238) a particular one of the local services, or may request knowledge of what local services are available within the environment 102. In the example message flow 215 shown in FIG. 3, client application 210 requests local service(s) (reference 238) by sending a service request to the discovery service 105, e.g., by using the static address of the discovery service 105. Included in the request 238 may be, for example, an indication of an identity and/or type of a particular requested service that is being requested by the client application 210 (e.g., an indication of the identity and/or the type of Service C 208 c) … --- Note that client application teaches an application; a mobile computing device (i.e., client) teaches a mobile device; authenticating client applications to services teaches a method of customizing an application; client application 210 may request a particular one of the local services teaches the application generic to at least one of a plurality of service providers or a plurality of users; 210a and 210b in Fig. 2 teaches service providers), the method comprising: 
storing customization data in a customization server that is independent of the mobile device, the customization data comprising at least one or more cryptographic keys specific to communication with at least one of a given service provider of the plurality of service providers or a user of the mobile device, and when used to modify the application, the customization data thereby changes the application to a customized application that is specific to at least one of the given service provider or the user of the mobile device (para. [0054]: The discovery service 105 may provide the generated session key and the address of Service C 208 c (e.g., the service's URL or Uniform Resource Locator, IP address, or similar service address) to the client application 210 (reference 245), and the discovery service 105 may notify the service 208 c of the generated session key (reference 248). Subsequently, the client application 210 may utilize the session key and the address of Service C 208 c to access the service's API (reference 250) to establish a secure communication session with the service 208 c and access thereto; para. [0021]: FIG. 1 depicts the discovery service 105 and the AA service 108 as being hosted on different nodes of the network 110 for clarity of discussion; however, in some embodiments, the discovery service 105 and the AA service 108 may be hosted on a same node. --- Notes that the discovery service 105 and the AA service 108 collectively (hereinafter, the discovery service 105) teaches a customization server; client teaches the mobile device; the discovery service 105 is independent of the client; the discovery service 105 provide the generated session key teaches storing customization data in a customization server; in this regard, the session key is generated and then providing to the client application, thus it is inherent that the discovery service 105 stores the session key in a memory or buffer at least for a while; utilize the session key to access the service's API (reference 250) to establish a secure communication session with the service 208 c teaches specific to communication with at least one of a given service provider of the plurality of service providers; the generated session key is provided to the client application 210, which teaches when used to modify the application, the customization data thereby changes the application to a customized application that is specific to at least one of the given service provider or the user of the mobile device; that is, the client application is changed to an authorized application); 
in response to the user of the mobile device accessing the customization server independently of the mobile device to … enables the mobile device to securely receive the customization data from the customization server (para. [0046]: Upon receipt of the local service request 238, the discovery service 105 may authenticate and/or authorize (reference 240) the client application 210 to verify or ensure the credentials of the client application 210; para. [0047]: In some embodiments, local service request 238 may include credentials corresponding to the client application 210. … Upon reception of the local service request 238 from the client application 210, the discovery service 105 may determine whether or not the client application's credentials have expired. If the respective client application's credentials have expired, the discovery service 105 may deny the client application's request for services 238; para. [0054]: The discovery service 105 may provide the generated session key … to the client application 210 (reference 245). --- Notes that Upon reception of the local service request 238 from the client application 210 teaches in response to the user of the mobile device accessing the customization server independently of the mobile device, here; the claim does not define what the limitation “the user” exactly indicates, thus for the sake of examination, the user is interpreted as a person who uses the mobile device. In addition, the claim also does not recite any method that a person (i.e., the user) can access the customization server without using the mobile device. Thus, for the sake of examination, the limitation “the user … independently of the mobile device” is interpreted as the user via the mobile device independently of what the state of the mobile device may be; the discovery service 105 may provide the generated session key to the client application 210 (reference 245), which teaches the mobile device to receive the customization data from the customization server; Upon receipt of the local service request 238, the discovery service 105 may authenticate and/or authorize (reference 240) the client application 210, and If not authorized (i.e., client application's credentials have expired), deny the client application's request for services 238, which teaches the mobile device to securely receive data from the customization server); and 
receiving the authorization data from the mobile device (para. [0045]: In the example message flow 215 shown in FIG. 3, client application 210 requests local service(s) (reference 238) by sending a service request to the discovery service 105 …. Included in the request 238 may be, for example, … an indication of a general request for available services, and/or a token. In an embodiment, the token may be an authentication token that is signed by the same party that assigned the address of the discovery service 105; para. [0046]: Upon receipt of the local service request 238, the discovery service 105 may authenticate and/or authorize (reference 240) the client application 210 to verify or ensure the credentials of the client application 210. --- Note that the request 238 includes an authentication token and credentials teaches receiving the authorization data from the mobile device; Further note that the claim does not specify as to what is a receiving party of the authorization data. Thus, for the sake of examination, it is interpreted as any party is a receiving party. In addition, the claim does not define as to what is the authorization data. Thus, for the sake of examination, the authorization data is interpreted as any data relating to authorization) and causing the customization server to provide the customization data to the mobile device (para. [0054]: The discovery service 105 may provide the generated session key and the address of Service C 208 c (e.g., the service's URL or Uniform Resource Locator, IP address, or similar service address) to the client application 210 (reference 245); para. [0079]: The session key and the secured connection may thereby provide the client application access to the registered local service provided by the node. --- Note that, the discovery service 105 provides the generated session key to the client application 210, which teaches causing the customization server to provide the customization data to the mobile device; here, the claim does not specify as to what causes to provide, thus for the sake of examination, it is caused by any reason), wherein the customization data enables the mobile device to change the application to the customized application (para. [0054]: The discovery service 105 may provide the generated session key and the address of Service C 208 c (e.g., the service's URL or Uniform Resource Locator, IP address, or similar service address) to the client application 210 (reference 245), and the discovery service 105 may notify the service 208 c of the generated session key (reference 248). Subsequently, the client application 210 may utilize the session key and the address of Service C 208 c to access the service's API (reference 250) to establish a secure communication session with the service 208 c and access thereto. --- Note that the generated session key is provided to the client application 210 to access the service's API (reference 250) to establish a secure communication session with the service 208 c, which teaches when used to modify the application, the customization data thereby changes the application to a customized application that is specific to at least one of the given service provider or the user of the mobile device; that is, the client application is changed to an authorized application).
Jackson is silent about:
… the user of the mobile device accessing … server … to receive authorization data, providing the authorization data to the user from the … server, wherein the authorization data enables the mobile device to securely receive … data from the … server.
Bronshtein taches:
… the user of the mobile device accessing … server … to receive authorization data, providing the authorization data to the user from the … server, wherein the authorization data enables the mobile device to securely receive … data from the … server (col. 3, l. 47- col. 4, l. 12: Prior to exchanging confidential or sensitive information with a server, a client may authenticate the identity of a server as a trusted server. Having authenticated a server as trusted, a client may establish a secure communications “session” with the server  … Prior to, or as part of, establishing a secure session, a client may authenticate the server as the actual, trusted server. A client may use a securely signed digital identity (or, “security”) certificate, associated with the server, to verify the authenticity of the server providing that certificate. As part of establishing a secure session (e.g., using TLS) with a server, a client may request that the server provide the security certificate to the client. The client may use the security certificate received from the server to verify the authenticity of the server. The certificate may include authentication component information about the server, such as a public encryption key used by the Certificate Authority (CA). --- Note that a client may request that the server provide the security certificate to the client, which teaches the user of the mobile device accessing … server … to receive authorization data; here, the security certificate teaches authorization data, and since the user is interpreted as a person who uses the mobile device, the limitation “the user of the mobile device accessing … server” is interpreted as the user accesses server via the mobile device but independently of what the mobile device’s state may be, thus, a client teaches the user of the mobile device; the security certificate received from the server teaches providing the authorization data to the user from the … server, here, the claim does not define as to what the authorization data is, thus, for the sake of examination, the limitation “the authorization data” is interpreted as any data relating to authorization; Having authenticated a server as trusted, a client may establish a secure communications “session” with the server, and exchanging confidential or sensitive information with a server, teaches the authorization data enables the mobile device to securely receive … data from the … server ).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jackson’s system by enhancing Jackson’s system to provide the security certificate to the client application from the AA service, as taught by Bronshtein, in order to establish a secure communication session with the server. 
The motivation is to prevent an unauthorized party from accessing to provider resources by tempering the application.

Regarding claim 5:
Jackson in view of Bronshtein teaches:
The method, according to claim 1.
Jackson teaches:
(para. [0052]: For example, the client application 210 may directly transmit an API request including the session key to the local service 208 c (reference 250), and the service 208 c may respond with an API response (reference 252), thereby establishing a direct, secured communication session between the client application 210 and Service C 208 c via the service's API. --- Note that establishing a direct, secured communication session between the client application 210 and Service C 208 c teaches customizing the application allows the mobile device to access a user service on behalf of the user).  

Regarding claim 6:
Jackson in view of Bronshtein teaches:
The method, according to claim 5.
Jackson teaches:
wherein the user service is provided by the given service provider (para. [0055]: For example, more than one service (or even all services) that are provided by the environmental service provider of the environment 102 may share a common, standard API via which they may be accessed within the environment 102. --- Note that more than one service (or even all services) that are provided by the environmental service provider teaches the user service is provided by the given service provider).  

Regarding claim 8:
Jackson in view of Bronshtein teaches:
The method, according to claim 6.
Jackson is silent about:
wherein the user service is banking.  
Bronshtein teaches:
(col. 3, ll. 1-11: Clients may access a server, for example, to request data, such as a web page; a service, such as a banking transaction; or a resource, such as storage or a virtual machine in a computer server or a computing cloud. --- Note that a banking transaction teaches banking).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jackson’s system by enhancing Jackson’s system to apply the method for authenticating applications to the banking transaction, as taught by Bronshtein, in order to provide secure user access to its own account. 
The motivation is to protect client’s banking account from unauthorized accessing by preventing spoofing of the codes or interception of information during the log-in process.

Regarding claim 10:
Jackson in view of Bronshtein teaches:
The method, according to claim 1.
Jackson is silent about:
wherein certificate pinning is used to require that the mobile device only communicate with predetermined customization servers.  
Bronshtein teaches:
wherein certificate pinning is used to require that the mobile device only communicate with predetermined customization servers (col. 5, ll. 1-7: To authenticate a server security certificate, a client may perform “certificate pinning”. In performing certificate pinning, a client may extract particular information from a security certificate; col. 5, ll. 21-25: For example, FIG. 1 illustrates client 102 performing certificate pinning 150. In performing the certificate pinning, client 102 may extract the public key of server 104 from a security certificate received from server 104 (e.g., in the server hello); col. 2, ll. 57-60:  Clients may be, or include, programs operating on a computer, or within a virtual machine of a computer. Clients may be, or include, “apps”, such as those used on a mobile device (e.g., a cell phone or tablet computer)).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jackson’s system by enhancing Jackson’s system to use certificate pinning when communicating between mobile device and servers, as taught by Bronshtein, in order to assure that a server is actually the intended server in various services environment. 
In this regard, Bronshtein describes that the attacker may then intercept communications between the client and an intended server. The attacker may simply monitor the communications, for example to “snoop” the client information, or may communicate the information to an unauthorized user (e.g., to extract a credit card number for unauthorized use by another). An attacker may modify information in the communications, for example, to expose the client to malware that then may be installed on the client computer. (Bronshtein, col. 3, ll. 38-46).
Thus, the motivation is to protect the system and information from attackers and unauthorized users by assuring that the mobile device communicates with the actual intended server using the certificate pinning.

Regarding claim 11:
Claim 11 recites a non-transitory computer-readable medium which corresponds to the method of claim 1, and additionally contains executable code. However, Jackson teaches executable code (para. [0022]: A “node,” as generally referred to herein, may comprise one or more computing devices having one or more processors, a network interface, and one or more memories storing computer-executable instructions. The instructions may be executed by the processor(s) to perform one or more actions). Therefore, claim 11 is rejected by applying the same rationale used to reject claim 1 above.

Regarding claim 15:
Claim 15 recites the non-transitory computer-readable medium which corresponds to the method of claim 5, and contains no additional limitation. Therefore, claim 15 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 16:
Claim 16 recites the non-transitory computer-readable medium which corresponds to the method of claim 6, and contains no additional limitation. Therefore, claim 16 is rejected by applying the same rationale used to reject claim 6 above.

Regarding claim 18:
Claim 18 recites the non-transitory computer-readable medium which corresponds to the method of claim 8, and contains no additional limitation. Therefore, claim 18 is rejected by applying the same rationale used to reject claim 8 above.

Regarding claim 20:
Claim 20 recites the non-transitory computer-readable medium which corresponds to the method of claim 10, and contains no additional limitation. Therefore, claim 10 is rejected by applying the same rationale used to reject claim 10 above.

Regarding claim 21:
Jackson in view of Bronshtein teaches:
The non-transitory computer-readable medium, according to claim 11.
Jackson further teaches:
(para. [0054]: The discovery service 105 may provide the generated session key and the address of Service C 208 c (e.g., the service's URL or Uniform Resource Locator, IP address, or similar service address) to the client application 210 (reference 245), and the discovery service 105 may notify the service 208 c of the generated session key (reference 248). Subsequently, the client application 210 may utilize the session key and the address of Service C 208 c to access the service's API (reference 250) to establish a secure communication session with the service 208 c and access thereto; para. [0021]: FIG. 1 depicts the discovery service 105 and the AA service 108 as being hosted on different nodes of the network 110 for clarity of discussion; however, in some embodiments, the discovery service 105 and the AA service 108 may be hosted on a same node. --- Notes that utilize the session key to access the service's API (reference 250) to establish a secure communication session with the service 208 c teaches the one or more cryptographic keys are specific to communication between the given service provider and the user of the mobile device).

Claims 2-4, 9, 12-14, 19, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al. (US2017/0295154 A1; hereinafter, “Jackson”) in view of Bronshtein et al. (US 9,774,590 B1; hereinafter “Bronshtein”), and further in view of Harris (US 2015/0089591 A1; hereinafter, “Harris”).

Regarding claim 2:
Jackson in view of Bronshtein teaches:
The method, according to claim 1.
Jackson in view of Bronshtein is silent about:

Harris teaches: 
wherein the authorization data is provided by at least one of postal message, email message, an SMS text message, or a visual code provided on a screen of a computer used to access the customization server (FIG. 3 & para. [0065]: In step S3-2, the computing apparatus 10 receives and displays the web page information. In this example, the web page information comprises a “Login” page 110. The “Login” page 110 is as described with reference to FIG. 2 and comprises the encoded information item 312, which is in this example is a graphical object (GO), in particular a “quick response” (QR) code). --- It is noted that the web page information comprises a “Login” page 110, which teaches the authorization data; FIG. 3 teaches the QR code is displayed on a screen of the computing apparatus, which access the server apparatus).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jackson in view of Bronshtein’s system by enhancing Jackson in view of Bronshtein’s system to provide the credentials by visual code, as taught by Harris, in order to increase the complexity of the authentication system. 
The motivation is to allow the user to input the credentials quickly and easily by using machine-accessible codes such as QR code and Bar code.

Regarding claim 3:
Jackson in view of Bronshtein and Harris teaches:
The method, according to claim 4, further comprising …
Jackson is silent about:

Bronshtein teaches:
receiving credential information from the user via the computer to access the customization server (col. 3, ll. 12-15: a client may communicate information to a server in which some, or all, of the client information may be confidential or sensitive. --- It is noted that confidential or sensitive teaches credential information).
The motivation for claim 2 is applicable for claim 3.

Regarding claim 4:
Jackson in view of Bronshtein and Harris teaches:
The method, according to claim 2.
Jackson in view of Bronshtein is silent about:
wherein the authorization data is provided by the visual code on the screen of the computer and is configured for capture by the mobile device.
Harris teaches: 
wherein the authorization data is provided by the visual code on the screen of the computer and is configured for capture by the mobile device (FIG. 3 & para. [0065]: In step S3-2, the computing apparatus 10 receives and displays the web page information. In this example, the web page information comprises a “Login” page 110. The “Login” page 110 is as described with reference to FIG. 2 and comprises the encoded information item 312, which is in this example is a graphical object (GO), in particular a “quick response” (QR) code); para. [0072]: In step S3-3, the GO 312 is obtained by the mobile device 12. This may involve the user of the device 12 taking a photograph of the GO 312 with a camera of the device 12. --- It is noted that displays the web page information comprising a “Login” page 110 teaches the authorization data; QR code teaches the visual code; taking a photograph teaches captures).  


Regarding claim 9:
Jackson in view of Bronshtein teaches:
The method, according to claim 1.
Jackson in view of Bronshtein is silent about:
wherein a template is used to populate the customization data.  
Harris teaches:
wherein a template is used to populate the customization data (Fig. 2 & para. [0045]: In step S2-4, an application decodes the encoded information from the obtained GO 112. The application is a dedicated portion of the computer-readable code 122A stored in the memory 122 of the device, which is able to decode the GO 112 and perform subsequent operations. --- Note that the obtained GO 112 teaches a template; encoded information teaches the customization data; the obtained GO 112 is used to populate encoded information; further note that the claim and the specification do not exactly specify what is meant by the template, thus for the sake of examination, it is interpreted as any template or form).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Jackson in view of Bronshtein’s system by enhancing Jackson in view of Bronshtein’s system to provide a graphic user interface, as taught by Harris, in order to provide the user with the convenience to input credentials. 
The motivation is to allow the user to input the credentials conveniently and easily by providing a graphic user interface.

Regarding claim 12:


Regarding claim 13:
Claim 13 recites the non-transitory computer-readable medium which corresponds to the method of claim 3, and contains no additional limitation. Therefore, claim 13 is rejected by applying the same rationale used to reject claim 3 above.

Regarding claim 14:
Claim 14 recites the non-transitory computer-readable medium which corresponds to the method of claim 4, and contains no additional limitation. Therefore, claim 14 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 19:
Claim 19 recites the non-transitory computer-readable medium which corresponds to the method of claim 9, and contains no additional limitation. Therefore, claim 19 is rejected by applying the same rationale used to reject claim 9 above.

Regarding claim 22:
Claim 22 recites the non-transitory computer-readable medium which corresponds to the method of claim 2, and contains the limitation “teaches graphical customization information” instead of “postal message, email message, an SMS text message, or a visual code.” 
However, Harris describes in para. [0036] that the encoded information item 112 is a graphical object (GO) (which is depicted in the Figures as a “quick response” (QR) code). It will be appreciated that various other types of graphical object may instead be used. Examples of such are barcodes, fractal patterns and moving images. Thus, graphical object teaches graphical customization information. Further note that the claim does not specify how the graphical customization information customize the look of the application, thus the limitation “for customizing the look of the application” is interpreted as intended use. 
Therefore, claim 22 is rejected by applying the same rationale used to reject claim 2 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Cahill (US10,044,695 B1) discloses a system to evaluate a request originating from an application corresponding to the application identity and the application instance definition to determine if fulfillment of the request complies with the permissions. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KHOI TRAN can be reached on (571)-272-6919.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/W.Y./Examiner, Art Unit 3664

/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491