Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This is the first office action on the merits in response to the application filed on 10/21/2019.
Claims 1-6 and 8-17 are currently pending and subject to a restriction requirement.
Applicant elected Group I (claims 1-6 and 12-17) and claims 1-6 and 12-17 have been examined.
Group II (claims 8-11) have been withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 121 as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994)
The disclosure of the prior-filed application, Application No. 13/688,109, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph for one or more claims of this application. Examiner recommends applicant file a new ADS statement correcting the prior-filed application to 13/668,109 to receive the benefit of the effective filing date of the prior-filed application.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 10/21/2019 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Gandhi (US 20130132235) in view of Do (US 20090198620).

Regarding Claims 1 and 12, Gandhi teaches receiving, at a device, a request within the application to purchase an asset for use with the application which is produced by an application vendor (Paragraphs 0055-0056 teach a user browses and selects an in-app item for purchase via, for example, a graphical user interface of the e-store application as presented on a display screen of the user's device; once the user has confirmed the purchase, the e-store application connects to a carrier applications store server for requesting information related to the in-app items and associated price ranges; the information requested from the carrier applications store server may include, for example and without limitation, one or more unique item identifiers, which are assigned to the e-store application by the carrier applications store; the unique identifier(s) may be stored at the carrier applications store and carrier billing system in association with the registered price range(s) corresponding to the available in-app items for the e-store application; the e-store application matches the confirmed user purchase with the list of available in-app items and price ranges that are returned for the application from the carrier applications store server; once the in-app item purchase as confirmed by the user has been successfully matched with the registered information returned from the carrier applications store server, the e-store application in conjunction with the carrier SDK generates a purchase request based on a price range returned from the carrier's server; the generated purchase request may include, for example and without limitation, the name of the item being purchases, the exact price of the item, and any additional item-specific inventory information, such as a stock-keeping unit (SKU) number); transmitting the request and a vendor identifier associated with the application vendor to the on-line store (Paragraph 0057 teaches the carrier applications store client submits the purchase request from the e-store application and carrier SDK to the carrier applications store server; once the carrier store server has confirmed the purchase request, it returns a new license including details for the purchased items to the e-store application (i.e., license is comparable to a receipt); examples of the details for the purchased items in the new license may include, but are not limited to, purchaser identification, purchased price, name of the purchasing application, the purchase type and a purchase expiration date, if applicable); receiving a signed receipt from the on-line store, the signed receipt including data derived from the vendor identifier, the signed receipt being signed by an operator of the on-line store (Paragraphs 0033 and 0058 teach the license signing system may be configured to sign the license (i.e., receipt) selected by the user; the signing may be done in a manner that facilitates the authentication of the license; for example, the signing may cause a string that contains the license to be signed using a private key on the application store server; once the new license has been acquired, the e-store application can communicate with the e-store server of the application provider or content provider to download the purchased content onto the user device; the e-store server then delivers the content to the device and marks the license as having been consumed or used for its intended purpose; further, the carrier (e.g., via the carrier billing system) bills the mobile device user/subscriber and settles the account revenue with application developer/content provider of the e-store based on, for example, a contract associated with sale of the in-app items purchased by the user/subscriber via the developer's e-store application); verifying the signed receipt (Paragraph 0033 teaches the application store client may have the public key to verify the authenticity of the signature; the software application may also or instead have the public key to permit the signature to be re-verified or verified once it is passed on from the application store client). 
However, Gandhi does not explicitly teach verifying the signed receipt by comparing a vendor identifier obtained from the signed receipt to the vendor identifier of the application vendor.
Do from same or similar field of endeavor teaches verifying the signed receipt by comparing a vendor identifier obtained from the signed receipt to the vendor identifier of the application vendor (Paragraphs 0035-0059 teach the system works as follows: 1. The mobile user browses on his mobile phone and visits a merchant's web site. He selects the items that he wants and makes an order; 2. The payment procedure is carried out; 3. the Merchant's server generates and digitally signs the contract using the merchant private key; the contract is then sent to the Trusted Third Party (TTP); 4. The TTP validates the contract to make sure that it is valid and does originate from the corresponding merchant; the validation is done using public key cryptographic functions; the digital receipt may contain the following: contract id; TTP id; TTP address; The TTP will then send it to the merchant's server).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Gandhi, which teaches secure in-app purchases, to incorporate the teachings of Do to verify the signed receipt by comparing a vendor identifier obtained from the signed receipt to the vendor identifier of the application vendor.
There is motivation to combine Do into Gandhi because currently there is readily available software that allows one to essentially get free in-app purchases in any app. This software works by intercepting the requests the device sends to Apple’s servers, and instead of letting the requests actually go through to Apple, responding with a fraudulent receipt. This is called a man-in-the-middle attack. The base invention is improved by performing receipt validation because MITM attacks on the connection between the device and Apple’s servers are not useful: the receipt validation performed by your server cannot be influenced by the attacker, so the receipt would have to be completely new (not seen before by your server) and completely valid for this attack to work. Notwithstanding unknown security vulnerabilities in Apple’s receipt signing system, we can reasonably safely assert that it’s not possible for an attacker to create such receipts without making a real purchase.
Regarding Claim 1, Gandhi teaches a method of providing purchases through an application purchased from an online store (Paragraph 0052 teaches FIG. 5 illustrates an exemplary high-level data flow of a process 500 for enabling in-app item purchases with direct carrier billing for an e-store application on a mobile device of a user).
Regarding Claim 12, Gandhi teaches a non-transitory machine-readable medium storing executable instructions which when executed by a data processing system cause the data processing system to perform a method of providing purchases through an application purchased from an online store (Paragraphs 0028 and 0072 teach FIG. 2 illustrates an exemplary application store server of a carrier for enabling in-app purchases from e-store applications with carrier billing; the applications store server may include a software application database, an application selection system, an application payment system, a license signing system, and an application download system; aspects of the in-app purchasing functions of the e-store application and carrier applications store client, as described above, may be embodied in programming; storage type media include any or all of the tangible memory of the mobile device, processors or the like, or associated modules thereof, such as various semiconductor memories, tape drives, disk drives and the like, which may provide non-transitory storage at any time for the software programming).

Regarding Claims 2 and 13, the combination of Gandhi and Do teaches all the limitations of claims 1 and 12 above; however, the combination does not explicitly teach wherein verifying the signed receipt is conducted by a receipt verification server.
Do further teaches wherein verifying the signed receipt is conducted by a receipt verification server (Paragraph 0033 teaches the TTP receipt server is introduced between the user and the merchant; it acts like a neutral intermediary that gives equal protection to both parties, i.e. the user and merchant; since the mobile phone may not have enough capacity for storing the contract, the TTP stores the contract on behalf of the mobile phone and the mobile user; based on the contract, the TTP will issue and sign a simpler and smaller receipt that can be stored in the mobile phone; this digital receipt is then returned to the merchant's server that sends it to the mobile phone).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Gandhi and Do to incorporate the further teachings of Do for verifying the signed receipt to be conducted by a receipt verification server.
There is motivation to further combine Do into the combination of Gandhi and Do because of the same reasons listed above for claims 1 and 12.

Regarding Claims 3 and 14, the combination of Gandhi and Do teaches all the limitations of claims 2 and 12 above; however, the combination does not explicitly teach wherein verifying the receipt data of the in-app purchase receipt is conducted via a third-party server.
Do further teaches wherein verifying the receipt data of the in-app purchase receipt is conducted via a third-party server (Paragraph 0033 teaches the Trusted Third Party (TTP) receipt server is introduced between the user and the merchant; it acts like a neutral intermediary that gives equal protection to both parties, i.e. the user and merchant).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Gandhi and Do to incorporate the further teachings of Do for verifying the receipt data of the in-app purchase receipt to be conducted via a third-party server.
There is motivation to further combine Do into the combination of Gandhi and Do because of the same reasons listed above for claims 1 and 12.

Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Gandhi (US 20130132235) in view of Do (US 20090198620) in further view of Yacobi (US 20090313171).

Regarding Claims 4 and 15, the combination of Gandhi and Do teaches all the limitations of claims 1 and 12 above; however, the combination does not explicitly teach verifying the signed receipt by comparing a product ID obtained from the signed receipt to the product ID of the requested asset.
Yacobi from same or similar field of endeavor teaches verifying the signed receipt by comparing a product ID obtained from the signed receipt to the product ID of the requested asset (Paragraph 0005 teaches a product ID comprises a message and a digital signature, wherein the digital signature is a hash value of the message encrypted with the electronic good provider's private key; the client performs a verification via a telephone to ensure that the client is not using a pirated (e.g., unauthorized) copy of a copyrighted software program; the verification requires that the client provide the digital signature portion of the product ID to a trusted verifier that has the electronic good provider's private key; the trusted verifier uses the electronic good provider's private key to reconstruct the message; the trusted verifier then compares the reconstructed message to an expected structure to ensure that the client is not using a pirated version of the electronic good; if the expected structure is found, the electronic good is authentic and the trusted verifier then returns a registration code which activates the client's software; verification using only the digital signature portion of the product ID reduces the amount of information that needs to be transferred over the telephone line to perform electronic good registration).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Gandhi and Do to incorporate the teachings of Yacobi to verify the signed receipt by comparing a product ID obtained from the signed receipt to the product ID of the requested asset.
There is motivation to combine Yacobi into the combination of Gandhi and Do because the verification requires that the client provide the digital signature portion of the product ID to a trusted verifier that has the software provider's private key. The trusted verifier uses the software provider's private key to ensure that the client is not using a pirated (e.g., unauthorized copy of a copyrighted software program) version of the software. If the expected structure is found, the electronic good is authentic and the trusted verifier then returns a registration code to the client which activates the client's software (Yacobi Paragraph 0023).

Claims 5-6 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Gandhi (US 20130132235) in view of Do (US 20090198620) in further view of Agarwal (US 20130151857)

Regarding Claims 5 and 16, the combination of Gandhi and Do teaches all the limitations of claims 1 and 12 above; however, the combination does not explicitly teach verifying the signed receipt by comparing a transaction ID obtained from the signed receipt to a transaction ID from a previous transaction.
Agarwal from same or similar field of endeavor teaches verifying the signed receipt by comparing a transaction ID obtained from the signed receipt to a transaction ID from a previous transaction (Paragraphs 0050-0051 and 0023 teach the method may include the server determining whether the nonce (e.g., a session identifier that may be used only once per session; the term “session” may refer to a single request-single response session) (i.e., transaction ID) of the single request message is present within a record of previously received nonces; if the nonce is determined to already be present within the record of previously received nonces, the server may discard the single request message or send an appropriate error message to the client; if it is determined that the nonce from the single request message is not present with the record of received previously received nonces, the method may include the server determining that the single request message is a valid single request message and storing the nonce from the single request message within the record of received nonces).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Gandhi and Do to incorporate the teachings of Agarwal to verify the signed receipt by comparing a transaction ID obtained from the signed receipt to a transaction ID from a previous transaction.
There is motivation to combine Agarwal into the combination of Gandhi and Do because by operating in this manner, the method may ensure that replayed messages are determined to be invalid (e.g., since replayed messages may include replayed nonces). In this way, the method may prevent a replay attack that submits a message including the same nonce at a time falling within the valid time window (Agarwal Paragraphs 0050-0051).

Regarding Claims 6 and 17, the combination of Gandhi and Do teaches all the limitations of claims 1 and 12 above; however, the combination does not explicitly teach verifying the signed receipt's timestamp by checking that the signed receipt was signed contemporaneously with a transaction.
Agarwal from same or similar field of endeavor teaches verifying the signed receipt's timestamp by checking that the signed receipt was signed contemporaneously with a transaction (Paragraph 0049 teaches if the digital signature is valid, the method may include the server determining whether the timestamp of the single request message indicates a time within a valid period of time from the current time; a valid time period might include a range of time extending from particular time before the current time up to the current time (e.g., the last 5 minutes or some other time window)). 
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Gandhi and Do to incorporate the teachings of Agarwal to verify the signed receipt's timestamp by checking that the signed receipt was signed contemporaneously with a transaction.
There is motivation to combine Agarwal into the combination of Gandhi and Do because by ensuring that the timestamp of the single request message indicates a time that falls within the valid period of time, the method may in some cases prevent replay attacks where an attacker tries to submit a replayed message at some time in the future (Agarwal Paragraph 0049).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Paleja et al. (US 20120330786) teaches an application management system modifies developer-submitted applications, such as mobile applications, to add various types of functionality before such applications are made available for purchase. The added functionality may, for example, enable end users to make in-application purchases of content items from an application store. As another example, Digital Rights Management (DRM) functionality may be added for controlling user access to content items, such as content items available in an application store.
Kelly et al. (US 20130036058) teaches a system, method, and article of manufacture for securely processing a transaction. The method may comprise performing a three-factor authentication, communicating and/or generating, to a web client, a token in response to a transaction request and based upon the three-factor authentication, comparing the token to a received token, and authorizing the transaction request based upon the comparing. Three-factor authentication may comprise authenticating a web client to a transaction account associated with an individual, authenticating a web client to a payment network associated with the transaction account, and authenticating an individual to the transaction account based upon a biometric sample.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:30 pm CST (M-Th).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/COURTNEY P JONES/Examiner, Art Unit 3685