Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communication received 12/16/2020. Claims 1-20 are pending.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/16/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Notes
The specification discloses: 
[0083] The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 9-16 are rejected under 35 USC 1010 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claims 9-16 are drawn to a system but comprises software only; in order to be statutory, the examiner recommends amending the claim to include at least a piece of hardware such as a hardware processor, microprocessor, memory ...



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-6, 9-11, 13-14 and 17-20 are rejected under rejected under 35 U.S.C. 103 as being unpatentable over publication titled “Figment: fine-grained permission management for mobile apps”, by Gasparis et al., Conference on Computer Communications, 2019, 9 pages, hereinafter Gasparis, in view of publication titled “A dynamic and static analysis of the uber mobile application from a privacy perspective”, by Hayes et al., 2018, Journal of information systems applied research, p.11-22, hereinafter Hayes. Gasparis cited in ids dated 12/16/2020.

Regarding claim 1, Gasparis discloses 
A computer-implemented method for managing the scope of permissions granted by users to application comprising: collecting a set of permissions for an application from an application provider publication (p.1, under Introduction, left col. Permissions collected from apps published in App store) ; collecting a process flow for functional steps of the application from a review of the application that is published on a product review type publication (p.4 last paragraph on left, to right: Control Flow Graph (CFG) built from the APK; the original APK is available in Play store , see p.5, V); dividing the functional steps of the application into a plurality of journeys, each of said plurality of journeys having a function associated with a stage of a functional step from a perspective of a user (p.4, Fig. 3: the CFG shows 2 journeys, a first journey from onCreate() to showCurrentLocation(), and the second journey from onCreate() to takeAndSavePhoto(); the first jouyrney has a function to detect location, and the second journey has camera function); matching permissions from the set of permissions for each journey of said plurality of journeys to provide matched permissible permissions to journeys stored in a customer journey store (p.4, IV: user grants the app permission for accessing location, but denies use of camera, access to the location is a permissible permission, stored in the modified CFG or customer journey store; also enabled/disabled permissions are stored in database see p.5, below Fig. 4, on left ); and monitoring a running application for a user using the matched permissible permissions to the plurality of journeys stored in the customer journey store (p.4-5, IV: monitor runtime execution at time t1: if a permission granted by user is already in the database, the user is not asked again (steps 1-4), at t2, if a permission is denied, the method is not invoked).  
Gasparis discloses a user may be willing to share her location in a specific context, but not under a different context (p.3, on left) but does not explicitly teach wherein an execution of a permission by the running application that is not correlated to said matched permissible permissions in the customer journey store is designated as non-permissible to the user of the application.
In an analogous art, Hayes discloses the Uber transportation app that specifies location access policies “Uber collects your location (i) when the app is open and (ii) from the time of the trip request through five minutes after the trip ends”, however the app uses the location services beyond the stated 5 minutes (p.11, I). Hayes discloses monitoring a running application, wherein an execution of a permission by the running application that is not correlated to said matched permissible permissions in the customer journey store is designated as non-permissible to the user of the application (p.16, on left: although the user selected another ride app, the Uber app tracked the user location 11 minutes after the ride ended, contrary to the access policies or permissible stored permissions; p.16, 5: the tracking of the location post-ride was removed e.g designated as non-permissible). It would have been obvious to a skilled artisan before the instant application was filed to designate non-permissible access as taught by Hayes because it would curtail apps misuse and prevent invasion to the user’s privacy.
Regarding claims 9 and 17, the claims recite substantially the same content as claim 1 and are rejected by the rationale set forth for claim 1.
Regarding claim 2, Gasparis in view of Hayes discloses the computer implemented method of claim 1, wherein the application functions to provide transportation services (Hayes, p.13: Uber APK).
Regarding claim 3, Gasparis in view of Hayes discloses the computer-implemented method of claim 1, wherein said collecting the set of permission for the application includes extracting the permission from a web page publication describing permissions needed for the application to function on an application store site (Gasparis, p.2, II: permissions in Manifest file- Hayes p.14, on left: Uber APK file downloaded from the web to review the code and manifest file).
Regarding claim 5, Gasparis in view of Hayes discloses the computer-implemented method of claim 1, wherein the product review type publication is on a social media type web page (Gasparis, p.1: apps published in the Google Play store, for sharing application)..  
Regarding claim 6, Gasparis in view of Hayes discloses the computer-implemented method of claim 1, wherein said dividing the functional steps of the application into the plurality of journeys considers a pool of historical user interactions with applications (Hayes p.14-15: sample of strings found in the client application folder, showing an array of location data corresponding to ping command from nearby Uber drivers).
Regarding claims 10 and 18, the claims recite substantially the same content as claim 2 and are rejected by the rationale set forth for claim 2.
Regarding claims 11 and 19, the claims recite substantially the same content as claim 3 and are rejected by the rationale set forth for claim 3.
Regarding claims 13 and 20, the claims recite substantially the same content as claim 5 and are rejected by the rationale set forth for claim 5.
Claim 14 recites substantially the same content as claim 6 and is rejected by the rationales set forth for claim 6.


Claims 4, 12 are rejected under 35 USC 103 as being unpatentable over Gasparis and Hayes, in view of publication titled “Towards automating risk assessment of mobile applications”, by Pandita et al., Usenix, 2013, p.527-542, hereinafter Pandita.

Regarding claim 4, Gasparis in view of Hayes discloses the computer-implemented method of claim 3;  Gaparis and Hayes teach the permissions are included in the manifest files (Hayes p. 13, under 4: extract permission from manifest files; Gasparis p.2, on right, under II: apps permissions are declared in the manifest file. However, Gasparis in view of Hayes does not explicitly teach: wherein extracting the permissions comprises parsing permissions from an introduction describing the application using a web crawler and natural language processing.
In an analogous art, Pandita discloses using natural Language Processing NLP to identify permission in applications (p.527, under Abstract), the permission list presented to the user before installing the application (p.527, on left). Pandita discloses wherein extracting the permissions comprises parsing permissions from an introduction describing the application using a web crawler and natural language processing (p.528-629, under 2: search application descriptions to get permissions using NLP; p.534: apply the NLP technique (WHYPER application) on unique type of application categories downloaded from the Play store i.e use of a search engine or web crawler; p.530 on right: applications’ descriptions are written by developers and are read before installing the application, therefore are interpreted as to be part of an introduction before the installation process).It would have been obvious to a skilled artisan before the instant application was filed to extract the permissions as taught by Pandita because it would limit the shortcoming of searching permissions based on keyword and would limit false positives (p.529, on right below Figure 1). 
Claim 12 recites substantially the same content as claim 4 and is rejected by the rationales set forth for claim 4.

Claims 7, 15 are rejected under 35 USC 103 as being unpatentable over Gasparis and Hayes, in view of publication titled “Machine learning for android malware detection using permission and api calls”, by Peiravian et al., IEEE, 2013, p.300-305, hereinafter Peiravian.
Regarding claim 7, Gasparis in view of Hayes discloses the computer-implemented method of claim 1, but does not teach the rest of the limitations.
In an analogous art, Peiravian discloses a machine-learning method for malware detection in apps (p.303, IV, on left). Peiravian discloses the method wherein said matching permissions for each journey to said plurality of journeys includes applying a matching engine using artificial intelligence (p.303, IV: characterize each app based on permission and API calls, the API calls being functions or journeys; label each permissions Pi as existing in the Manifest file or not).  It would have been obvious to a skilled artisan before the instant application was filed to set matching permissions for each journey as taught by Peiravian because it would allow to efficiently use of a large number of permissions and API calls, and build a training set for malware detection (see Peiravian, Abstract).
Claim 15 recites substantially the same content as claim 7 and is rejected by the rationales set forth for claim 7.

Claims 8, 16 are rejected under 35 USC 103 as being unpatentable over Gasparis and Hayes, in view of US 20210390171 to Yuan et al., hereinafter Yuan.
Regarding claim 8, Gasparis in view of Hayes discloses the computer-implemented method of claim 1 but does not teach the rest of the limitation. In an analogous art, yuan discloses setting particular context for an app for using calendar, camera, location services ([0139], table 2). Yuan discloses wherein said being designated as non- permissible to the user includes sending a notification to the display of a device running the application and being operated by the user (Fig. 8 [0138] notification on user interface that the map application is trying to access the camera when such use does not match any permitted context or scenario).  It would have been obvious to a skilled artisan before the instant application was filed to display a notification as taught by Yuan because it would be informative to the user and would allow the user to amend the permission in different scenarios if she desires so. 
Claim 16 recites substantially the same content as claim 8 and is rejected by the rationales set forth for claim 8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Zhai 20210406916  discloses monitoring malicious use of GPS and other tools installed in devices.
Diaz-tellez et al 20150358356 discloses evaluating and granting permissions from the application manifest file at the time of installing the application.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        11/15/2022