DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed invention is directed to reviewing application code without significantly more. The claim(s) recite(s) receiving code and determining what the code is doing. This judicial exception is not integrated into a practical application because under broadest reasonable interpretation, the receiving and determining steps can be a mental process. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional wherein step merely calls the determining as automatic without running the code.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Independent claims 1, 11 and 17 relate to receiving application code for analysis and further to determining how the application code affects resources. The claims do not identify what the scope of the invention is, nor the metes and bounds of the scope of the claims. Further the claims do not identify how the code is being reviewed or what the outcome of a review would show or entail. 

Claim Objections
Claim 2 is objected to because of the following informalities:  Claim 2 does not end in a period.  Appropriate correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 4, 6, 7, 10, 11 and 14-20 are rejected under 35 U.S.C. 102 (a)(1) and (a)(2) as being anticipated by Livshits et al., (US Publication No. 2014/0366147), hereinafter “Livshits”.

Regarding claims 1, 11 and 17, Livshits discloses
receiving an application code for analysis [Livshits, paragraph 23, the application code 102 is unpacked and loaded]; and 
determining how application-specific information from resources operably coupled to the application code is implemented via the application code [Livshits, paragraph 27, Block 204 is directed towards identifying hotspots in the program representation graph, namely those nodes that call an API or the like known to access a resource], 
wherein the determination is performed with an automatic analysis without running the application code [Livshits, paragraph 16, Various aspects of the technology described herein are generally directed towards automated, static analysis based
solutions that detect unprotected resource accesses by applications and insert missing opt-in consent dialogs/ prompts].

Regarding claim 4, Livshits further discloses
wherein the determination includes analyzing a security status of the resources accessed with the application code [Livshits, paragraph 31, FIG. 3 summarizes a general flow of an analysis, in which for a given resource access, that is, a hotspot, step 302 represents evaluating whether access to that resource is adequately protected].

Regarding claim 6, Livshits further discloses
wherein a resource of the resources is a service operably coupled to the application code [Livshits, paragraph 27, Block 204 is directed towards identifying hotspots in the program representation graph, namely those nodes that call an API or the like known to access a resource for which an opt-in prompt is supposed to be provided to the user; (for example, the location access API exposed to applications].

Regarding claim 7, Livshits further discloses
wherein the service analyzed to determine a security configuration [Livshits, paragraph 31, FIG. 3 summarizes a general flow of an analysis, in which for a given resource access, that is, a hotspot, step 302 represents evaluating whether access to that resource is adequately protected].

Regarding claim 10, Livshits further discloses
wherein the determination is implemented in an automatic code analysis tool [Livshits, paragraph 22, The automatic mediation component 104 is generally directed towards placing runtime consent dialogs within mobile application code 102, including automatic and correct prompt placement, that is, at least a substantial amount of the time. To this end, a process/algorithm described herein automatically finds missing prompts and inserts ( or otherwise
proposes) a valid prompt placement].

Regarding claim 14, Livshits further discloses
wherein the determination includes an analysis of a security status of resources accessed with the application code [Livshits, paragraph 31, FIG. 3 summarizes a general flow of an analysis, in which for a given resource access, that is, a hotspot, step 302 represents evaluating whether access to that resource is adequately protected].

Regarding claim 15, Livshits further discloses
wherein the analysis of the security status includes an analysis of security configurations [Livshits, paragraph 31, FIG. 3 summarizes a general flow of an analysis, in which for a given resource access, that is, a hotspot, step 302 represents evaluating whether access to that resource is adequately protected].

Regarding claim 16, Livshits further discloses
wherein the application-specific additional information includes metadata [Livshits, paragraph 107, The drives and their associated computer storage media, described above and illustrated in FIG. 6, provide storage of computer-readable instructions, data structures, program modules and other data for the computer 610. In FIG. 6, for example, hard disk drive 641 is illustrated as storing operating system 644, application programs 645, other program modules 646 and program data 647. Note that these components can either be the same as or different from operating system 634, application programs 635, other program modules 636, and program data 637. Operating system 644, application programs 645, other program modules 646, and program data 647 are given different numbers herein to illustrate that, at a minimum, they are different copies].

Regarding claim 18, Livshits further discloses
wherein the instructions are implemented in an automatic code analysis tool [Livshits, paragraph 22, The automatic mediation component 104 is generally directed towards placing runtime consent dialogs within mobile application code 102, including automatic and correct prompt placement, that is, at least a substantial amount of the time. To this end, a process/algorithm described herein automatically finds missing prompts and inserts ( or otherwise
proposes) a valid prompt placement].

Regarding claim 19, Livshits further discloses
wherein the automatic code analysis tool is configured to provide automatic static analysis of the application code [Livshits, paragraph 16, Various aspects of the technology described herein are generally directed towards automated, static analysis based
solutions that detect unprotected resource accesses by applications and insert missing opt-in consent dialogs/ prompts].

Regarding claim 20, Livshits further discloses
wherein the application-specific information is analyzed for security [Livshits, paragraph 31, FIG. 3 summarizes a general flow of an analysis, in which for a given resource access, that is, a hotspot, step 302 represents evaluating whether access to that resource is adequately protected].

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 2, 3, 12, 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Livshits as applied to claim 1 above, and further in view of Lempel et al., (US Publication No. 2007/0016583), hereinafter “Lempel”.

Regarding claim 2, Livshits does not specifically disclose, however Lempel teaches
wherein the determination includes analyzing an application-specific context of the application code by querying an associated identity manager to verify user identity and user access of the application code [Lempel, paragraph 39, In FIG. 3, control begins at block 300 with the identity manager 124 receiving valid user login data (e.g., userid). In block 302, the identity manager 124 determines whether a user profile exists for the user having the received login data. If so, processing continues to block 308, otherwise, processing continues to block 304].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate credentials for user access in order to protect the application from unauthorized use.

Regarding claim 3, Livshits-Lempel further discloses
wherein the analyzing the application specific context of the application code includes determining whether a user group is properly defined [Lempel, paragraph 40, In block 306, the identity manager 124 stores the user security credentials for one or more backend repositories in a user profile 126. In certain embodiments, for each supplied security credential, the identity manager 124 attempts to log in to the backend repository to obtain the user's one or more security groups for that security domain].

Regarding claim 12, Livshits-Lempel further discloses
wherein the application-specific information includes identity and access management information [Lempel, paragraph 39, In FIG. 3, control begins at block 300 with the identity manager 124 receiving valid user login data (e.g., userid). In block 302, the identity manager 124 determines whether a user profile exists for the user having the received login data. If so, processing continues to block 308, otherwise, processing continues to block 304].

Regarding claim 13, Livshits-Lempel further discloses
wherein identity and access management information pertains to user groups and whether an identity can access a particular resource [Lempel, paragraph 40, In block 306, the identity manager 124 stores the user security credentials for one or more backend repositories in a user profile 126. In certain embodiments, for each supplied security credential, the identity manager 124 attempts to log in to the backend repository to obtain the user's one or more security groups for that security domain].

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Livshits as applied to claim 4 above, and further in view of Henderson et al., (US Publication No. 2003/0009536), hereinafter “Henderson”.

Regarding claim 5, Livshits does not specifically disclose, however Henderson teaches
wherein the analyzing the security status of the resources includes analyzing the security status of a database storing data accessed by the application code [Henderson, paragraphs 75, which then analyzes the data security database along with user and content profiles].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to review security of a database in order to protect the information within the database from unauthorized access.

Claim(s) 8, 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Livshits as applied to claim 4 above, and further in view of Lortz, (US Publication No. 2003/0018786).

Regarding claim 8, Livshits does not specifically disclose, however Lortz teaches
wherein the analyzing of the security status includes determining an owner of the resource [Lortz, paragraphs 37, used to determine the authenticity of the resource owner].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to determine an owner of a resource in order to determine if the user has access to the resource.

Regarding claim 9, Livshits-Lortz further discloses
wherein determining the owner of the resources includes determining whether the owner of the resource owns the application code [Lortz, paragraphs 37, it authenticates 202 the resource owner to determine whether to accept the policy query; used to determine the authenticity of the resource owner].

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589. The examiner can normally be reached M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/William J. Goodchild/Primary Examiner, Art Unit 2433