Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/9/2022 has been entered.

Response to Amendment
This is in response to the amendments filed on 5/9/2022. Claims 1 and 11 have been amended. Claims 8 and 18 have been canceled. Claims 23 and 24 are newly added. Claims 1-6, 9-16, and 19-24 are currently pending and have been considered below. 

Response to Arguments
Applicant’s arguments with respect to claim(s) 1 and 11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-6, 9-16, and 19-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Johansson” (US 9819673) in view of “Bronshtein” (US 9774590).

Regarding Claim 1:
Johansson teaches:
A method of customizing an application on a mobile device, the application generic to at least one of a plurality of service providers or a plurality of users (Abstract, “The PC application, once authenticated, receives a permitted action token that identifies a limited set of privileges that the PC application is authorized to perform in connection with the CAR resource”; Col. 5, lines 62-65, “Once a privilege-constrained (PC) application 110 is published, users download the application … onto individual client computing devices 120”), the method comprising: 
storing customization data in a customization server that is independent of the mobile device (Col. 2, lines 53-58, “Once the authentication server authenticates that the PC application, the authentication server provides a token to the PC application (referred to throughout as a permitted action token)”),… , and when used to modify the application, the customization data thereby changes the application to a customized application that is specific to at least one of the given service provider or the user of the mobile device (Col, 2, lines 42-58, “At the time of development, limits are placed on the privileges afforded to an application, referred to throughout as a privilege-constrained (PC) application. In addition, before a PC application can initiate a session with a user’s online account … the PC application undergoes an authentication process … Once an authentication server authenticates that the PC application, the authentication server provides a token to the PC application … The permitted action token identifies a limited set of privileges that the PC application is authorized to perform in connection with the client account through the online resource”; i.e., provide a permitted action token (“customization data”) to a client’s privilege-constrained application (“the application”) in order to modify the application to perform a connection with a client account through an online resource (“the given service provider”); Col. 6, lines 57-63, “The permitted action token identifies a limited set of privileges that the PC application is authorized to perform in connection with the CAR online resource. The PC application 110 presents the permitted access token to the access server 145 in connection with establishing a privilege-constrained session with one or more CAR online resources 150”); 
in response to the user of the mobile device accessing the customization server through an access channel other than the application to receive authorization data (Col. 6, lines 33-37, “The client computing devices 120 are configured to communicate over at least two separate communications channels with the authentication server 134, namely a first/primary channel and a second/side channel”; Col. 12, lines 23-27, “However, the SUA code is conveyed over the side or secondary channel 142 … to the client computing device 120, where the side or secondary channel differs from the communications channel in which the initial request (225) was received”; i.e., access the authorization server to receive the SUA code via a secondary channel different from an initial channel established at the application), providing the authorization data to the user from the customization server (Col. 11, lines 23-30, “The SUA code … are returned (208) to the authorization service 135 over a separate communications channel that is distinct from the communications channel over which the outgoing SUA code was originally conveyed from the authorization service 135 to the client computing device”), wherein the authorization data enables the mobile device to securely receive the customization data from the customization server (Col. 11, lines 38-47, “The authorization service 135 validates or verifies (209) the returned SUA code … When a valid SUA code … are identified, the authorization service identifies … a permitted action token that corresponds to the action or actions that are permitted by the application to be taken in connection with the CAR online resource”); and 
receiving the authorization data from the mobile device and causing the customization server to provide the customization data to the mobile device (Col. 11, lines 38-47, “The authorization service 135 validates or verifies (209) the returned SUA code … When a valid SUA code … are identified, the authorization service identifies … a permitted action token that corresponds to the action or actions that are permitted by the application to be taken in connection with the CAR online resource”), wherein the customization data enables the mobile device to change the application to the customized application (Col. 7, lines 25-27, “A new permitted action token may be provided to change (e.g., add or remote) the actions permitted”).
Johansson does not disclose:
	… the customization data comprising at least one or more cryptographic keys specific to at least one of: (1) communication between a given service provider of the plurality of service providers and one or more users or (2) communication between a user of the mobile device and one or more of the plurality of service providers …
Bronshtein teaches:
	… the customization data comprising at least one or more cryptographic keys (Col. 5, lines 1-7, “To authenticate a server security certificate, a client may perform “certificate pinning”; lines 21-25, “In performing client pinning, client 102 may extract the public key of server 104 from a security certificate received from server 104…”) specific to at least one of: (1) communication between a given service provider of the plurality of service providers and one or more users or (2) communication between a user of the mobile device and one or more of the plurality of service providers (Col. 5, lines 31-35, “Client 102 may compare the hash formed from the public key in the security certificate to the pin, to check the authenticity of the security certificate (120), and thereby authenticate server 104 as trusted to communicate with client 102” & lines 39-43, “… to verify that the client accesses only … trusted resources of trusted servers”; i.e., utilize a public key of a security certificate (“customization data”) to authenticate communications between a client device and server resources) …
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Johansson’s system to authenticate and authorize applications by enhancing Johansson’s permitted action tokens to include a security certificate associated with a provisioning server, as taught by Bronshtein, in order to provide a method of certificate pinning that allows a client device to authenticate the server prior to further communications.
	The motivation is to incorporate information within a permitted action token received from a server that allows a client device to perform authentication of the server prior to further secure communications with the server. This prevents a client from communicating with a potentially malicious server by the server providing spoofed tokens, and thus enhances the security of communicating sensitive information to a server from the client.

Regarding Claim 2:
The method, according to claim 1, wherein Johansson in view of Bronshtein further teaches the authorization data is provided by at least one of: postal message, email message, an SMS text message, or a visual code provided on a screen of a computer used to access the customization server (Johansson, Col. 9, lines 7-9, “Certain types of trusted channels of communication 142, such as email and short message service (SMS), may terminate on multiple client computing devices 120”).

Regarding Claim 3:
The method, according to claim 4, Johansson in view of Bronshtein further comprising receiving credential information from the user via the computer to access the customization server (Johansson, Col. 11, lines 16-28, “The user reenters the SUA code and enters user credentials at the client computing device … The SUA code, user ID and user credentials are returned (209) to the authorization service 135…”).

Regarding Claim 4:
The method, according to claim 2, wherein Johansson in view of Bronshtein further teaches the authorization data is provided by the visual code on the screen of the computer and is configured for capture by the mobile device (Johansson, Col. 10, line 67 & Col. 11, lines 1-4, “The SUA code may be presented to the user in various manners. For example, the SUA code may be presented as a quick response (QR) code, or alphanumeric character string or both”).

Regarding Claim 5:
The method, according to claim 1, wherein Johansson in view of Bronshtein further teaches customizing the application allows the mobile device to access a user service on behalf of the user (Johansson, Col. 11, lines 38-47, “The authorization service 135 validates or verifies (209) the returned SUA code … When a valid SUA code … are identified, the authorization service identifies … a permitted action token that corresponds to the action or actions that are permitted by the application to be taken in connection with the CAR online resource”).

Regarding Claim 6:
The method, according to claim 5, wherein Johansson in view of Bronshtein further teaches the user service is provided by the given service provider (Johansson, Col. 11, lines 38-47, “The authorization service 135 validates or verifies (209) the returned SUA code … When a valid SUA code … are identified, the authorization service identifies … a permitted action token that corresponds to the action or actions that are permitted by the application to be taken in connection with the CAR online resource”; Here, the examiner interprets the CAR online resource as the “given service provider”).

Regarding Claim 9:
The method, according to claim 1, wherein a template is used to populate the customization data (Johansson, Col. 5, lines 54-61, “The application ID, key and privileges are stored on the application master list 137 for future reference as explained herein. The privileges may include various content, such as a list of actions that are permitted by the application. The privileges may identify the type of request that the application may direct to online resources. The privileges may identify the type of client data that may or may not be requested from an online resource”; i.e., utilize an application master list to store all the privileges that may be later accessed and used to generate a respective permitted action token for an associated application).

Regarding Claim 10:
The method, according to claim 1, wherein Johansson in view of Bronshtein further teaches certificate pinning is used to require that the mobile device only communicate with predetermined customization servers (Bronshtein, Col. 5, lines 1-7, “To authenticate a server security certificate, a client may perform “certificate pinning”; lines 21-25, “In performing client pinning, client 102 may extract the public key of server 104 from a security certificate received from server 104…”).
The motivation to apply Bronshtein to Johansson in rejecting claim 10 is the same motivation applied in combining Bronshtein and Johansson in claim 1, above.

Regarding Claim 23:
The method, according to claim 1, wherein Johansson in view of Bronshtein further teaches the user of the mobile device accessing the customization server through an access channel other than the application to receive authorization data comprises the user of the mobile device accessing the customization server without using the mobile device (Col. 14, lines 32-43, “Optionally, the presentation window 312 and confirmation entry window 320 may be presented on separate first and second client computing devices. For example, the presentation window 312 may operate on a laptop, desktop or tablet device that operates the application, while the confirmation entry window 320 is presented on a smart phone or other device capable of establishing a secondary channel of communication with the authorization service 135”).

Regarding Claims 11-16, 19, 20, and 24:
Non-transitory computer-readable medium claims 11-16, 19, 20, and 24 correspond to respective method claims 1-6, 9, 10, and 23 and contain no further limitations. Thus the same rationale applied in rejecting claims 1-6, 9, 10, and 23 are applied to reject claims 11-16, 19, 20, and 24, respectively.

Regarding Claim 21:
The non-transitory computer-readable medium, according to claim 11, wherein Johansson in view of Bronshtein further teaches the one or more cryptographic keys are specific to communication between the given service provider and the user of the mobile device (Bronshtein, Col. 3, lines 47-65).
The motivation to reject claim 21 under Bronshtein is the same motivation applied in rejecting claim 11 (by virtue of claim 1’s rationale) above.

Regarding Claim 22:
The non-transitory computer-readable medium, according to claim 11, wherein Johansson in view of Bronshtein further teaches the customization data further comprises graphical customization information for customizing the look of the application when displayed on the mobile device (Johansson, Col. 10, line 67 & Col. 11, lines 1-4, “The SUA code may be presented to the user in various manners. For example, the SUA code may be presented as a quick response (QR) code, or alphanumeric character string or both”; i.e., modify the “look of the application” by virtue of the application displaying a customized QR code).
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491