Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application is a continuation of co-pending. U.S. patent application Ser. No. 15/094,954, entitled DETECTING REPACKAGED APPLICATIONS BASED ON FILE FORMAT FINGERPRINTS filed Apr. 8, 2016, which claims priority to U.S. Provisional Patent Application No. 62/292,858, entitled DETECTING REPACKAGED APPLICATION BASED ON FILE FORMAT FINGERPRINTS filed Feb. 8, 2016, both of which are incorporated herein by reference for all purposes.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/20/2022 has been entered.
 
DETAILED ACTION
This Office Action is in response to a Request for Continued Examination (RCE) application received on 09/20/2022. In the RCE, claims 1-3, 15 and 20 have been amended. claims 4, 7-8 and 16-17 have been cancelled. Claims 21-28 have been added as new claims. 
For this Office Action, claims 1-3, 5-6, 9-15 and 18-28 have been received for consideration and have been examined. 

Claim Objections
Claim 26 objected to because of the following informalities:  
Claim 26 preamble recites “The method of claim 26”. Examiner notes that it should recites as “The method of claim 25” as this claim is similar to claim 12 which is dependent of claim 11 and claim 12 is written as dependent of claim 11.  Appropriate correction is required.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-6, 9, 13-15, 18, 20-24 and 27-28 are rejected under 35 U.S.C. 103 as being unpatentable over Shim et al., (US20140082729A1) in view of Wyatt et al., (US20120240236A1) in view of Non-Patent Literature (NPL) Document Titled “Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces” published 02/07/2012 hereinafter referred as “NPL” and further in view of Foreign Reference Zhou., (CN104216946A) hereinafter referred as Zhou.
Regarding claim 1, Shim discloses:

A system, comprising:
a processor configured to:
receive a set of repackaging fingerprints generated independently (See FIG. 2; a blacklist database 108 stores recording the IDs of malicious publishers) of a particular original application (See FIG. 3; i.e. a specific Application) ([0023] there is provided a system for detecting a repackaged application by analyzing an Android application, the system including: a decompiler 102 for loading the Android application, which is an analysis target, decompressing the application and extracting an AndroidManifest file and a Dex file; an analysis module 106 for analyzing whether or not specific information is modified in the extracted AndroidManifest or Dex file; a blacklist database 108 for storing a blacklist collecting IDs of publishers related to creation and distribution of a malicious code, a white list collecting IDs of publishers unrelated to creation and distribution of the malicious code, and information on malicious package names and malicious code character strings), 
wherein the set of repackaging fingerprints comprises a plurality of predetermined indicators of build-related structure (i.e. publisher ID, package name, and main activity name etc.), and wherein said build-related structure is independent of the particular original application's code structure ([0043] The analysis system 100 of the present invention includes a decomplier 102, an application database 104, an analysis module 106, a blacklist database 108; [0044] The decompiler 102 loads an Android application file (an execution file having a file extension of apk) stored in the application database 104, decompresses (decompiles) the application file and extracts an AndroidManifest file and a Dex file. The extracted AndroidManifest file and Dex file are transferred to the analysis module 106, and detection of a repackaged application is performed.
Examiner construes that blacklist database 108 to contain known good and bad indicators [build-related structure] such as publisher ID, package name, and main activity name etc., which are fingerprints of applications and are generated independently of particular application. The analysis module checks for the legitimate indicators in the manifest file and Dex file to check if application is a repackaged application or not. Furthermore, Examiner would like to point out that similar functions are being performed in the instant specification paragraphs [0113 – 0130]).
Shim explicitly does not disclose:
receive a mobile application; analyze the received mobile application for one or more indicators that the received mobile application is a repackaged version of the particular original application, using at least one repackaging fingerprint, determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application; and in response to a result of the analysis, categorize the received mobile application as a repackaged application; and a memory coupled to the processor and configured to provide the processor with instructions.
However, Wyatt discloses:
	receive a mobile application ([0059] FIGS. 3-7 illustrate the transmission and collection of application data and device data in more detail. FIG. 3 illustrates an embodiment in which server 151 evaluates a change in a data object stored on mobile communication device 101. In FIG. 3, mobile communication device 101 detects a change in a specific data object (block 301). One having skill in the art will appreciate that detecting changes in a data object may involve mechanisms such as intercepting system calls or file system operations, a file system or other data object change listener, receiving an event from a package management system (e.g., PACKAGE_UPDATED and/or PACKAGE_REPLACED intents in the Android™ operating system), and polling for data objects in a file system or other system capable of enumerating data objects. Other techniques for detecting changes may also be used);
analyze the received mobile application for one or more indicators that the received mobile application is a repackaged version of the particular original application, using at least one repackaging fingerprint; and in response to a result of the analysis ([0063] mobile communication device 101 transmits information for the changed data object. Such information may include identifying information for the data object, such as metadata (e.g., hash, package name, file name, file path, cryptographic signer, unique identifier such as a UUID) and the like. In block 305, server 151 receives the identifier for mobile communication device 101 and information for the changed data object. The received data is stored by server 151 on the server or on data storage 111 (block 307). In an embodiment, only some of the data received by server 151 is stored. In block 309, server 151 provides an assessment for the changed data object … The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown … Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path; [0129] For example, on Android, the device may analyze the executable portion of an application packages, typically called “classes.dex”. The device may extract a list of inter-process communication calls directly or indirectly performed by the executable file that utilize the “binder” mechanism and transmit information about the calls to server 151 for use in analyzing the application package),
categorize the received mobile application as a repackaged application ([0315] The inference engine can make an assessment, determination, or inference that one application is a counterfeit of the other application or that one application is illegitimate and the other application is legitimate. For example, one application may be a repackaged version of the other application. The repackaged application may include malware or other undesirable code); and 
a memory coupled to the processor and configured to provide the processor with instructions ([0039] a computer usable medium or computer readable medium may be any medium that can contain or store the program for use by or in connection with the instruction execution system, apparatus or device. For example, the computer readable storage medium or computer usable medium may be, but is not limited to, a random access memory (RAM), read-only memory (ROM), or a persistent store, such as a mass storage device, hard drives, CDROM, DVDROM, tape, erasable programmable read-only memory (EPROM or flash memory)).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Shim reference and include a method of identifying counterfeit mobile application at a mobile device by analyzing a mobile application at a server, as disclosed by Wyatt.
The motivation to identifying the counterfeit mobile application is to prevent and block the malicious application in the mobile device from performing nefarious activities in the mobile device.
The combination of Shim and Wyatt fails to disclose:
determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application.
However, NPL discloses:
	determining whether the at least one repackaging fingerprint (i.e., difference of values in Publisher ID) indicates that a repackaging tool was used as a component in generating the received mobile application (See Page # 322; Table 3 shows comparing Application (Angry Birds) Manifest Files from the Original App and the Repackaged App using DroidMOSS analyzing application which indicates that a repackaged application was generated using some illegitimate repackaging tool which is construed as indication that a repackaging tool was used in generating the mobile application

    PNG
    media_image1.png
    563
    1522
    media_image1.png
    Greyscale
).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Shim and Wyatt references and include an app similarity measurement system called DroidMOSS, as disclosed by NPL.
	The motivation to include the DroidMOSS techniques is to effectively compare the code of the application to detect if the application code is modified using repackaging tool. 
The combination of Shim, Wyatt and NPL fails to disclose:
	wherein analyzing the mobile application includes at least one of: (1) analyzing a string table to determine whether offset values included in the string table are strictly increasing, or (2) analyzing a map table to determine whether a second to last item in the map table has a value that is other than "DEBUGINFO".
However, Zhou discloses:
	wherein analyzing the mobile application includes at least one of: (1) analyzing a string table to determine whether offset values included in the string table are strictly increasing, or (2) analyzing a map table to determine whether a second to last item in the map table has a value that is other than "DEBUGINFO" ([0040-0043] discloses a system determining according to rules if the type code is DEBUG-INFO-ITEM in the DEX file map list. If the type code is DEBUG-INFO-ITEM, it means the rule is met and the DEX is not a packaged file. Whereas if the type code is not DEBUG-INFO-ITEM in the map list then the rule is not met and it is determined that the file is a packaged file).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Shim, Wyatt and NPL references and include method for checking the map list of a DEX file, as disclosed by Zhou.
	The motivation to include such a method is to be able to detect if the map list of the DEX file is changed and if it is changed then highlighting that DEX file as a repackaged file. 
Regarding claim 2, the combination of Shim, Wyatt, NPL and Zhou discloses:
	The system of claim 1 wherein analyzing the mobile application further includes determining that the mobile application matches a whitelisted fingerprint component and categorizing the mobile application as not repackaged in response to the determination (Wyatt: [0051] an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe, or that an application may appear on a blacklist or whitelist. An assessment may include categorization or characterization data for a data object, ratings such as security ratings, privacy ratings, performance ratings, quality ratings, and battery impact ratings for a data object, trust ratings for a data object, distribution data for a data object). 
Regarding claim 3, the combination of Shim, Wyatt, NPL and Zhou discloses:
The system of claim 1 wherein analyzing the mobile application using the first repackaging fingerprint includes determining that the mobile application matches a blacklisted fingerprint component and categorizing the mobile application as repackaged in response to the determination (Wyatt: [0314] For example, an application binary of a first application program may be different from an application binary of a second application program. Hash values of the application binaries may be different. Signing certificates, application fingerprints, signing keys, package names, entitlements, permissions, media assets, ad network, ad network account identifiers, digital rights management (DRM) protection, publisher names, or combinations of these may be different between the two or more applications; [0315] The inference engine can make an assessment, determination, or inference that one application is a counterfeit of the other application or that one application is illegitimate and the other application is legitimate. For example, one application may be a repackaged version of the other application. The repackaged application may include malware or other undesirable code).
Regarding claim 5, the combination of Shim, Wyatt, NPL and Zhou discloses:
The system of claim 1 wherein analyzing the received mobile application includes determining whether the received mobile application matches a threshold set of repackaging fingerprints (Wyatt: [0335] The comparison may include measuring a degree of similarity between the first and second application metadata. If the degree of similarity is within a threshold degree of similarity, in a step 2115, the analysis server compares the first and second application programs to identify any differences. In a step 2120, at least one difference may be identified. In a step 2125, based on the identified at least one difference and the degree of similarity being within the threshold degree of similarity, a determination is made that one of the first or second application programs is a counterfeit of the other first or second application programs; [0344] a code similarity algorithm that fingerprints each component in an application (e.g. Java class, Objective-C framework, shared library) can be used to determine what types code is shared between two applications, and what code is unique).
Regarding claim 6, the combination of Shim, Wyatt, NPL and Zhou discloses:
The system of claim 1 wherein analyzing the received mobile application includes parsing a file format (Wyatt: [0262] In a specific implementation, the crawler program is configured to parse an application program file, locate a specific element within the file, extract the values or attributes listed within the specific element, and store the extracted values in the database).
Regarding claim 9, the combination of Shim, Wyatt, NPL and Zhou discloses:
	The system of claim 1 wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which an item with a first type is positioned before an item with a second type (Wyatt: [0315] The inference engine can make an assessment, determination, or inference that one application is a counterfeit of the other application or that one application is illegitimate and the other application is legitimate. For example, one application may be a repackaged version of the other application. The repackaged application may include malware or other undesirable code; [0342] In step 2115, if the degree of similarity is within a threshold degree of similarity, the system compares the first application program with the second application program to identify any differences between the first and second application programs). 
Regarding claim 13, the combination of Shim, Wyatt, NPL and Zhou discloses:
The system of claim 1 wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which at least one of a checksum of rest data and a hash value of rest data is valid (Wyatt: [0054] To prevent taxing network 121 and server 151 with network traffic, various methods may be used to reduce the amount of data requested by and transmitted to server 151. For example, rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. If the server has previously performed an assessment of the data object identified by the hash, the server 151 may return that previous assessment if it is still valid).
Regarding claim 14, the combination of Shim, Wyatt, NPL and Zhou discloses:
The system of claim 1 wherein analyzing the mobile application includes examining at least one of a class definition table, a method list, and a code header with respect to non-interface classes (Wyatt: [0344] a code similarity algorithm that fingerprints each component in an application (e.g. Java class, Objective-C framework, shared library) can be used to determine what types code is shared between two applications, and what code is unique. Such a code similarity algorithm may examine the structure of a given component (for example, the exposed API, the control flow or instruction contents of the component's implementation, linkage to other components, or other aspects of the component) to create a fingerprint that uniquely identifies that component as different from other components).
Regarding claim 15, Shim discloses:
A method comprising:
receive a set of repackaging fingerprints generated independently (See FIG. 2; a blacklist database 108 stores recording the IDs of malicious publishers) of a particular original application (See FIG. 3; i.e. a specific Application) ([0023] there is provided a system for detecting a repackaged application by analyzing an Android application, the system including: a decompiler 102 for loading the Android application, which is an analysis target, decompressing the application and extracting an AndroidManifest file and a Dex file; an analysis module 106 for analyzing whether or not specific information is modified in the extracted AndroidManifest or Dex file; a blacklist database 108 for storing a blacklist collecting IDs of publishers related to creation and distribution of a malicious code, a white list collecting IDs of publishers unrelated to creation and distribution of the malicious code, and information on malicious package names and malicious code character strings), 
wherein the set of repackaging fingerprints comprises a plurality of predetermined indicators of build-related structure (i.e. publisher ID, package name, and main activity name etc.), and wherein said build-related structure is independent of the particular original application's code structure ([0043] The analysis system 100 of the present invention includes a decomplier 102, an application database 104, an analysis module 106, a blacklist database 108; [0044] The decompiler 102 loads an Android application file (an execution file having a file extension of apk) stored in the application database 104, decompresses (decompiles) the application file and extracts an AndroidManifest file and a Dex file. The extracted AndroidManifest file and Dex file are transferred to the analysis module 106, and detection of a repackaged application is performed.
Examiner construes that blacklist database 108 to contain known good and bad indicators [build-related structure] such as publisher ID, package name, and main activity name etc., which are fingerprints of applications and are generated independently of particular application. The analysis module checks for the legitimate indicators in the manifest file and Dex file to check if application is a repackaged application or not. Furthermore, Examiner would like to point out that similar functions are being performed in the instant specification paragraphs [0113 – 0130]).
Shim explicitly does not disclose:
receive a mobile application; analyze the received mobile application for one or more indicators that the received mobile application is a repackaged version of the particular original application, using at least one repackaging fingerprint, determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application; and in response to a result of the analysis, categorize the received mobile application as a repackaged application; and a memory coupled to the processor and configured to provide the processor with instructions.
However, Wyatt discloses:
	receive a mobile application ([0059] FIGS. 3-7 illustrate the transmission and collection of application data and device data in more detail. FIG. 3 illustrates an embodiment in which server 151 evaluates a change in a data object stored on mobile communication device 101. In FIG. 3, mobile communication device 101 detects a change in a specific data object (block 301). One having skill in the art will appreciate that detecting changes in a data object may involve mechanisms such as intercepting system calls or file system operations, a file system or other data object change listener, receiving an event from a package management system (e.g., PACKAGE_UPDATED and/or PACKAGE_REPLACED intents in the Android™ operating system), and polling for data objects in a file system or other system capable of enumerating data objects. Other techniques for detecting changes may also be used);
analyze the received mobile application for one or more indicators that the received mobile application is a repackaged version of the particular original application, using at least one repackaging fingerprint; and in response to a result of the analysis ([0063] mobile communication device 101 transmits information for the changed data object. Such information may include identifying information for the data object, such as metadata (e.g., hash, package name, file name, file path, cryptographic signer, unique identifier such as a UUID) and the like. In block 305, server 151 receives the identifier for mobile communication device 101 and information for the changed data object. The received data is stored by server 151 on the server or on data storage 111 (block 307). In an embodiment, only some of the data received by server 151 is stored. In block 309, server 151 provides an assessment for the changed data object … The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown … Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path; [0129] For example, on Android, the device may analyze the executable portion of an application packages, typically called “classes.dex”. The device may extract a list of inter-process communication calls directly or indirectly performed by the executable file that utilize the “binder” mechanism and transmit information about the calls to server 151 for use in analyzing the application package),
categorize the received mobile application as a repackaged application ([0315] The inference engine can make an assessment, determination, or inference that one application is a counterfeit of the other application or that one application is illegitimate and the other application is legitimate. For example, one application may be a repackaged version of the other application. The repackaged application may include malware or other undesirable code).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Shim reference and include a method of identifying counterfeit mobile application at a mobile device by analyzing a mobile application at a server, as disclosed by Wyatt.
The motivation to identifying the counterfeit mobile application is to prevent and block the malicious application in the mobile device from performing nefarious activities in the mobile device.
The combination of Shim and Wyatt fails to disclose:
determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application.
However, NPL discloses:
	determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application (See Page # 322; Table 3 shows comparing Application (Angry Birds) Manifest Files from the Original App and the Repackaged App using DroidMOSS analyzing application which indicates that a repackaged application was generated using some illegitimate repackaging tool which is construed as indication that a repackaging tool was used in generating the mobile application

    PNG
    media_image1.png
    563
    1522
    media_image1.png
    Greyscale
).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Shim and Wyatt references and include an app similarity measurement system called DroidMOSS, as disclosed by NPL.
	The motivation to include the DroidMOSS techniques is to effectively compare the code of the application to detect if the application code is modified using repackaging tool. 
The combination of Shim, Wyatt and NPL fails to disclose:
	wherein analyzing the mobile application includes at least one of: (1) analyzing a string table to determine whether offset values included in the string table are strictly increasing, or (2) analyzing a map table to determine whether a second to last item in the map table has a value that is other than "DEBUGINFO".
However, Zhou discloses:
	wherein analyzing the mobile application includes at least one of: (1) analyzing a string table to determine whether offset values included in the string table are strictly increasing, or (2) analyzing a map table to determine whether a second to last item in the map table has a value that is other than "DEBUGINFO" ([0040-0043] discloses a system determining according to rules if the type code is DEBUG-INFO-ITEM in the DEX file map list. If the type code is DEBUG-INFO-ITEM, it means the rule is met. Whereas if the type code is not DEBUG-INFO-ITEM then the rule is not met and it is determined that the file is Packaged file).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Shim, Wyatt and NPL references and include method for checking the map list of a DEX file, as disclosed by Zhou.
	The motivation to include such a method is to be able to detect if the map list of the DEX file is changed and if it is changed then highlighting that DEX file as a repackaged file. 
Regarding claim 18, the combination of Shim, Wyatt, NPL and Zhou discloses:
The method of claim 15 wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which an item with a first type is positioned before an item with a second type (Wyatt: [0315] The inference engine can make an assessment, determination, or inference that one application is a counterfeit of the other application or that one application is illegitimate and the other application is legitimate. For example, one application may be a repackaged version of the other application. The repackaged application may include malware or other undesirable code; [0342] In step 2115, if the degree of similarity is within a threshold degree of similarity, the system compares the first application program with the second application program to identify any differences between the first and second application programs).
Regarding claim 20, Shim discloses:
A computer program product embodied in a tangible computer readable storage medium and comprising computer instructions for:
receive a set of repackaging fingerprints generated independently (See FIG. 2; a blacklist database 108 stores recording the IDs of malicious publishers) of a particular original application (See FIG. 3; i.e. a specific Application) ([0023] there is provided a system for detecting a repackaged application by analyzing an Android application, the system including: a decompiler 102 for loading the Android application, which is an analysis target, decompressing the application and extracting an AndroidManifest file and a Dex file; an analysis module 106 for analyzing whether or not specific information is modified in the extracted AndroidManifest or Dex file; a blacklist database 108 for storing a blacklist collecting IDs of publishers related to creation and distribution of a malicious code, a white list collecting IDs of publishers unrelated to creation and distribution of the malicious code, and information on malicious package names and malicious code character strings), 
wherein the set of repackaging fingerprints comprises a plurality of predetermined indicators of build-related structure (i.e. publisher ID, package name, and main activity name etc.), and wherein said build-related structure is independent of the particular original application's code structure ([0043] The analysis system 100 of the present invention includes a decomplier 102, an application database 104, an analysis module 106, a blacklist database 108; [0044] The decompiler 102 loads an Android application file (an execution file having a file extension of apk) stored in the application database 104, decompresses (decompiles) the application file and extracts an AndroidManifest file and a Dex file. The extracted AndroidManifest file and Dex file are transferred to the analysis module 106, and detection of a repackaged application is performed.
Examiner construes that blacklist database 108 to contain known good and bad indicators [build-related structure] such as publisher ID, package name, and main activity name etc., which are fingerprints of applications and are generated independently of particular application. The analysis module checks for the legitimate indicators in the manifest file and Dex file to check if application is a repackaged application or not. Furthermore, Examiner would like to point out that similar functions are being performed in the instant specification paragraphs [0113 – 0130]).
Shim explicitly does not disclose:
receive a mobile application; analyze the received mobile application for one or more indicators that the received mobile application is a repackaged version of the particular original application, using at least one repackaging fingerprint, determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application; and in response to a result of the analysis, categorize the received mobile application as a repackaged application; and a memory coupled to the processor and configured to provide the processor with instructions.
However, Wyatt discloses:
	receive a mobile application ([0059] FIGS. 3-7 illustrate the transmission and collection of application data and device data in more detail. FIG. 3 illustrates an embodiment in which server 151 evaluates a change in a data object stored on mobile communication device 101. In FIG. 3, mobile communication device 101 detects a change in a specific data object (block 301). One having skill in the art will appreciate that detecting changes in a data object may involve mechanisms such as intercepting system calls or file system operations, a file system or other data object change listener, receiving an event from a package management system (e.g., PACKAGE_UPDATED and/or PACKAGE_REPLACED intents in the Android™ operating system), and polling for data objects in a file system or other system capable of enumerating data objects. Other techniques for detecting changes may also be used);
analyze the received mobile application for one or more indicators that the received mobile application is a repackaged version of the particular original application, using at least one repackaging fingerprint; and in response to a result of the analysis ([0063] mobile communication device 101 transmits information for the changed data object. Such information may include identifying information for the data object, such as metadata (e.g., hash, package name, file name, file path, cryptographic signer, unique identifier such as a UUID) and the like. In block 305, server 151 receives the identifier for mobile communication device 101 and information for the changed data object. The received data is stored by server 151 on the server or on data storage 111 (block 307). In an embodiment, only some of the data received by server 151 is stored. In block 309, server 151 provides an assessment for the changed data object … The assessment may include instructions and/or a categorization labeling the changed data object as safe, malicious, or unknown … Assessments may be considered to be for the same data object if the metadata relating to each object matches in a variety of ways, including if the assessments relate to data objects with the same hash, same package name, same cryptographic signer, or same file path; [0129] For example, on Android, the device may analyze the executable portion of an application packages, typically called “classes.dex”. The device may extract a list of inter-process communication calls directly or indirectly performed by the executable file that utilize the “binder” mechanism and transmit information about the calls to server 151 for use in analyzing the application package),
categorize the received mobile application as a repackaged application ([0315] The inference engine can make an assessment, determination, or inference that one application is a counterfeit of the other application or that one application is illegitimate and the other application is legitimate. For example, one application may be a repackaged version of the other application. The repackaged application may include malware or other undesirable code).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Shim reference and include a method of identifying counterfeit mobile application at a mobile device by analyzing a mobile application at a server, as disclosed by Wyatt.
The motivation to identifying the counterfeit mobile application is to prevent and block the malicious application in the mobile device from performing nefarious activities in the mobile device.
The combination of Shim and Wyatt fails to disclose:
determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application.
However, NPL discloses:
	determining whether the at least one repackaging fingerprint indicates that a repackaging tool was used as a component in generating the received mobile application (See Page # 322; Table 3 shows comparing Application (Angry Birds) Manifest Files from the Original App and the Repackaged App using DroidMOSS analyzing application which indicates that a repackaged application was generated using some illegitimate repackaging tool which is construed as indication that a repackaging tool was used in generating the mobile application

    PNG
    media_image1.png
    563
    1522
    media_image1.png
    Greyscale
).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Shim and Wyatt references and include an app similarity measurement system called DroidMOSS, as disclosed by NPL.
	The motivation to include the DroidMOSS techniques is to effectively compare the code of the application to detect if the application code is modified using repackaging tool. 
The combination of Shim, Wyatt, and NPL fails to disclose:
	wherein analyzing the mobile application includes at least one of: (1) analyzing a string table to determine whether offset values included in the string table are strictly increasing, or (2) analyzing a map table to determine whether a second to last item in the map table has a value that is other than "DEBUGINFO".
However, Zhou discloses:
	wherein analyzing the mobile application includes at least one of: (1) analyzing a string table to determine whether offset values included in the string table are strictly increasing, or (2) analyzing a map table to determine whether a second to last item in the map table has a value that is other than "DEBUGINFO" ([0040-0043] discloses a system determining according to rules if the type code is DEBUG-INFO-ITEM in the DEX file map list. If the type code is DEBUG-INFO-ITEM, it means the rule is met. Whereas if the type code is not DEBUG-INFO-ITEM then the rule is not met and it is determined that the file is Packaged file).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Shim, Wyatt and NPL references and include method for checking the map list of a DEX file, as disclosed by Zhou.
	The motivation to include such a method is to be able to detect if the map list of the DEX file is changed and if it is changed then highlighting that DEX file as a repackaged file. 
Regarding claim 21, the combination of Shim, Wyatt, NPL and Zhou discloses:
The method of claim 15, wherein analyzing the mobile application further includes determining that the mobile application matches a whitelisted fingerprint component and categorizing the mobile application as not repackaged in response to the determination (Wyatt: [0051] an assessment may include a determination that an application is malicious or non-malicious, bad or good, unsafe or safe, or that an application may appear on a blacklist or whitelist. An assessment may include categorization or characterization data for a data object, ratings such as security ratings, privacy ratings, performance ratings, quality ratings, and battery impact ratings for a data object, trust ratings for a data object, distribution data for a data object). 
Regarding claim 22, the combination of Shim, Wyatt, NPL and Zhou discloses:
The method of claim 15, wherein analyzing the mobile application using the first repackaging fingerprint includes determining that the mobile application matches a blacklisted fingerprint component and categorizing the mobile application as repackaged in response to the determination (Wyatt: [0314] For example, an application binary of a first application program may be different from an application binary of a second application program. Hash values of the application binaries may be different. Signing certificates, application fingerprints, signing keys, package names, entitlements, permissions, media assets, ad network, ad network account identifiers, digital rights management (DRM) protection, publisher names, or combinations of these may be different between the two or more applications; [0315] The inference engine can make an assessment, determination, or inference that one application is a counterfeit of the other application or that one application is illegitimate and the other application is legitimate. For example, one application may be a repackaged version of the other application. The repackaged application may include malware or other undesirable code).
Regarding claim 23, the combination of Shim, Wyatt, NPL and Zhou discloses:
The method of claim 15, wherein analyzing the received mobile application includes determining whether the received mobile application matches a threshold set of repackaging fingerprints (Wyatt: [0335] The comparison may include measuring a degree of similarity between the first and second application metadata. If the degree of similarity is within a threshold degree of similarity, in a step 2115, the analysis server compares the first and second application programs to identify any differences. In a step 2120, at least one difference may be identified. In a step 2125, based on the identified at least one difference and the degree of similarity being within the threshold degree of similarity, a determination is made that one of the first or second application programs is a counterfeit of the other first or second application programs; [0344] a code similarity algorithm that fingerprints each component in an application (e.g. Java class, Objective-C framework, shared library) can be used to determine what types code is shared between two applications, and what code is unique).
Regarding claim 24, the combination of Shim, Wyatt, NPL and Zhou discloses:
The method of claim 15, wherein analyzing the received mobile application includes parsing a file format (Wyatt: [0262] In a specific implementation, the crawler program is configured to parse an application program file, locate a specific element within the file, extract the values or attributes listed within the specific element, and store the extracted values in the database).
Regarding claim 27, the combination of Shim, Wyatt, NPL and Zhou discloses:
The method of claim 15, wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which at least one of a checksum of rest data and a hash value of rest data is valid (Wyatt: [0054] To prevent taxing network 121 and server 151 with network traffic, various methods may be used to reduce the amount of data requested by and transmitted to server 151. For example, rather than transmitting whole data objects, such as application files or application packages, for analysis, hashing functions or hashing algorithms may be applied to data and the resulting hash of the data may be sent to the server 151. The server 151 may use the hash to uniquely identify the data object. If the server has previously performed an assessment of the data object identified by the hash, the server 151 may return that previous assessment if it is still valid).
Regarding claim 28, the combination of Shim, Wyatt, NPL and Zhou discloses:
The method of claim 15, wherein analyzing the mobile application includes examining at least one of a class definition table, a method list, and a code header with respect to non-interface classes (Wyatt: [0344] a code similarity algorithm that fingerprints each component in an application (e.g. Java class, Objective-C framework, shared library) can be used to determine what types code is shared between two applications, and what code is unique. Such a code similarity algorithm may examine the structure of a given component (for example, the exposed API, the control flow or instruction contents of the component's implementation, linkage to other components, or other aspects of the component) to create a fingerprint that uniquely identifies that component as different from other components).




Claims 10-11, 19 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Shim et al., (US20140082729A1) in view of Wyatt et al., (US20120240236A1) in view of Non-Patent Literature (NPL) Document Titles “Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces” published 02/07/2012 hereinafter referred as “NPL” in view of Foreign Reference Zhou., (CN104216946A) hereinafter referred as Zhou and further in view of Sankruthi (US9792436B1). 
Regarding claim 10, the combination of Shim, Wyatt, NPL and Zhou fails to disclose:
	The system of claim 1 wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which an actual file length does not match a file length field value.
However, Sankruthi discloses:
	wherein analyzing the mobile application includes determining whether an actual file length matches a file length field value (Col. 8, Line # 48-53; At block 410, other parameters of the possible matches are checked against the infected file. For example, file version, file size, file header information, and the file path may be compared. A file may be matched even though it is not identical to the infected file in all of the listed parameters; Col. 8, Line # 55-63; The evaluation may involve determining if certain information of the infected file, such as version number, appears to be genuine, and matching a file with the same version information. Should it appear that the version number or other information has been tampered with, then the evaluation may involve comparing parameters such as file length as well as hash values for the one or more regions of the interest and selecting the file that matches the infected file most closely).
	It would have been obvious before the effective filing date of the claimed invention to modify the references of Shim, Wyatt, NPL and Zhou and analyze a software application based on file header information, as taught by Sankruthi.
	The motivation to analyze infected software application based on comparison of file header and file length is to be able to detect malicious content in the file and prevent it from executing in the computer system. 
Regarding claim 11, the combination of Shim, Wyatt, NPL and Zhou fails to disclose:
The system of claim 1 wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which a header length field does not match a predefined value.
However, Sankruthi discloses:
	wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which a header length field does not match a predefined value (Col. 7, Line # 43-48; Each file identity 320 within the file remediation repository 300 may include file data 322 about its associated file. File data 322 may include, for example: file name, file version, file size, OS name, OS version, client hostname, client IP address, file path, file source, and file header information).
Regarding claim 19, the combination of Shim, Wyatt, NPL and Zhou fails to disclose:
The method of claim 15 wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which an actual file length does not match a file length field value.
However, Sankruthi discloses:
	wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which a header length field does not match a predefined value (Col. 7, Line # 43-48; Each file identity 320 within the file remediation repository 300 may include file data 322 about its associated file. File data 322 may include, for example: file name, file version, file size, OS name, OS version, client hostname, client IP address, file path, file source, and file header information).
Regarding claim 25, the combination of Shim, Wyatt, NPL and Zhou fails to disclose:
The method of claim 15, wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which a header length field does not match a predefined value.
However, Sankruthi discloses:
	wherein a repackaging fingerprint included in the set of repackaging fingerprints identifies as a repackaged application one in which a header length field does not match a predefined value (Col. 7, Line # 43-48; Each file identity 320 within the file remediation repository 300 may include file data 322 about its associated file. File data 322 may include, for example: file name, file version, file size, OS name, OS version, client hostname, client IP address, file path, file source, and file header information).


Claims 12 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Shim et al., (US20140082729A1) in view of Wyatt et al., (US20120240236A1) in view of Non-Patent Literature (NPL) Document Titles “Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces” published 02/07/2012 hereinafter referred as “NPL” in view of Foreign Reference Zhou., (CN104216946A) hereinafter referred as Zhou and further in view of Herrero et al., (US20160261558A1).
Regarding claim 12, the combination of Shim, Wyatt and NPL fails to disclose:
The system of claim 11 wherein the predefined value is at least one of 0x70 and 117.
However, Herrero discloses:
wherein the predefined value is at least one of 0x70 and 117 ([0031] the length of the compressed header is based on the payload size. In one non-limiting example embodiment, the compressed header is either 3 bytes or 4 bytes depending on the amount of data to be sent. Tables 2 and 3 provide example media packet configurations with such compressed headers. See Table 2 & 3: 
    PNG
    media_image2.png
    321
    524
    media_image2.png
    Greyscale
).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Wyatt, Shim, NPL and Sankruthi and include predefined values in the header of the file, as disclosed by Herrero.
The motivation to include predefined values in the file header is to be able to match exact values in the files when they are being compared for malicious activity by the system. 
Regarding claim 26, the combination of Shim, Wyatt and NPL fails to disclose:
The method of claim 26 [25], wherein the predefined value is at least one of 0x70 and 117.
However, Herrero discloses:
wherein the predefined value is at least one of 0x70 and 117 ([0031] the length of the compressed header is based on the payload size. In one non-limiting example embodiment, the compressed header is either 3 bytes or 4 bytes depending on the amount of data to be sent. Tables 2 and 3 provide example media packet configurations with such compressed headers. See Table 2 & 3: 
    PNG
    media_image2.png
    321
    524
    media_image2.png
    Greyscale
).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Wyatt, Shim, NPL and Sankruthi and include predefined values in the header of the file, as disclosed by Herrero.
The motivation to include predefined values in the file header is to be able to match exact values in the files when they are being compared for malicious activity by the system. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US20160335437A1 - Method and device for feature extraction
US20160321453A1 - Method and device for detecting malicious code in an intelligent terminal.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./Patent Examiner, Art Unit 2432