Every couple of weeks, someone trying to run one of my free apps contacts me to report that the app they downloaded crashes whenever they try to run it. When they attach a crash report, it usually takes me just a few seconds to work out why this is: it’s almost invariably because of translocation, a macOS security mechanism that isn’t widely known. This article explains what is happening, and the simple solution.
Although introduced six years ago in macOS Sierra, I’ve been unable to find any clear account of app translocation in Apple’s developer or security documentation. The closest that I’ve come is a vague mention in the Platform Security Guide:
“Gatekeeper also protects against the distribution of malicious plug-ins with benign apps. Here, using the app triggers the loading of a malicious plug-in without the user’s knowledge. When necessary, Gatekeeper opens apps from randomized, read-only locations. This is designed to prevent the automatic loading of plug-ins distributed alongside the app.”
None of my apps works with plug-ins, and none is distributed with them, so you might be puzzled as to why this should apply to anything you’ve downloaded from here. Read Jeff Johnson’s detailed exploration from six years ago, and the rules he discovered then might make this appear more credible. When the following apply, the first time that you run any quarantined app on your Mac, it will be translocated to a random read-only location within that system volume group:
- the app has a quarantine flag set;
- the app must be opened by Launch Services (normally the Finder) rather than a command shell;
- the app hasn’t been moved by the Finder from the location it was unarchived or downloaded to, wherever that was.
Take the example of someone who downloads SilentKnight from here. It arrives in their ~/Downloads folder, where they unarchive it into its own folder. If they now try running SilentKnight without moving it, macOS is almost certain to translocate it for that first run. Nine times out of ten, the user isn’t aware of this: the app runs fine, and the next time, with its quarantine flag cleared, it works exactly as expected, without translocation taking place.
You’ll only notice translocation taking place when you examine the log for the app’s first run. There you’ll see entries describing the creation of the translocation directory, typically at a location something like /private/var/folders/4d/x76c3kn158q0mvbcjh8dy12h0000gn/T/AppTranslocation/FD855598-DFCA-4A82-9A0D-229C0C99035B/d/MyNew.app
Every now and then, this doesn’t work to plan. As debugging translocation problems is so difficult, it’s hard to discover why. Instead of the app opening and clearing quarantine, macOS decides to crash the app, and it doesn’t complete that first run, so will be translocated again if it’s run from the same location. The tell-tale sign in the crash report is the path given for the crashed app, which reveals that it was launched in translocation, from a path such as /private/var/folders/*/MyNew.app/Contents/MacOS/MyNew.
Most of my apps do something a little unusual when they first start up: they perform a check on their own signature, to ensure that they haven’t been damaged or tampered with. I introduced these some years ago, at a time when such checks were only performed when quarantined apps were first run. I’m not aware that they should cause any problems in translocation, unless macOS decides to intervene. I also test every release of every app I make available here by adding a quarantine flag and checking that it opens correctly; they invariably do, and confirm that the app has been correctly notarised too.
So now I advise users, not only when installing my apps but for all software, to unarchive the download and move the app into one of the standard Applications folders, which seems to be what macOS expects us to do. That way the third of Jeff Johnson’s criteria doesn’t apply, and the app isn’t translocated for its first run. If you’d rather put an app in a different location, that too should be fine, provided that you move the app from its download location using the Finder.
- If you download any app, install it by moving it in the Finder to a different location, such as one of the standard Applications folders, before you try running it for the first time.
- If you run any app for the first time and it crashes immediately, use the Finder to move that app to a different location. It may well then work fine.
Jeff Johnson @lapcatsoftware has kindly informed me that even successfully running a quarantined app which has been translocated won’t result in its quarantine flag being cleared, so condemning it to eternal translocation until you do move it using the Finder.
He also reports that moving an app with a quarantine flag, which would be translocated, inside an existing folder doesn’t relieve it from translocation, even if that folder is moved into a regular Applications folder. I’ll be looking in more detail at these in the near future.