Don’t run that app where it landed: how translocation can cause crashes

Every couple of weeks, someone trying to run one of my free apps contacts me to report that the app they downloaded crashes whenever they try to run it. When they attach a crash report, it usually takes me just a few seconds to work out why this is: it’s almost invariably because of translocation, a macOS security mechanism that isn’t widely known. This article explains what is happening, and the simple solution.

App translocation

Although introduced six years ago in macOS Sierra, I’ve been unable to find any clear account of app translocation in Apple’s developer or security documentation. The closest that I’ve come is a vague mention in the Platform Security Guide:
“Gatekeeper also protects against the distribution of malicious plug-ins with benign apps. Here, using the app triggers the loading of a malicious plug-in without the user’s knowledge. When necessary, Gatekeeper opens apps from randomized, read-only locations. This is designed to prevent the automatic loading of plug-ins distributed alongside the app.”

None of my apps works with plug-ins, and none is distributed with them, so you might be puzzled as to why this should apply to anything you’ve downloaded from here. Read Jeff Johnson’s detailed exploration from six years ago, and the rules he discovered then might make this appear more credible. When the following apply, the first time that you run any quarantined app on your Mac, it will be translocated to a random read-only location within that system volume group:

the app has a quarantine flag set;
the app must be opened by Launch Services (normally the Finder) rather than a command shell;
the app hasn’t been moved by the Finder from the location it was unarchived or downloaded to, wherever that was.

Take the example of someone who downloads SilentKnight from here. It arrives in their ~/Downloads folder, where they unarchive it into its own folder. If they now try running SilentKnight without moving it, macOS is almost certain to translocate it for that first run. Nine times out of ten, the user isn’t aware of this: the app runs fine, and the next time, with its quarantine flag cleared, it works exactly as expected, without translocation taking place.

You’ll only notice translocation taking place when you examine the log for the app’s first run. There you’ll see entries describing the creation of the translocation directory, typically at a location something like /private/var/folders/4d/x76c3kn158q0mvbcjh8dy12h0000gn/T/AppTranslocation/FD855598-DFCA-4A82-9A0D-229C0C99035B/d/MyNew.app

Crashing

Every now and then, this doesn’t work to plan. As debugging translocation problems is so difficult, it’s hard to discover why. Instead of the app opening and clearing quarantine, macOS decides to crash the app, and it doesn’t complete that first run, so will be translocated again if it’s run from the same location. The tell-tale sign in the crash report is the path given for the crashed app, which reveals that it was launched in translocation, from a path such as /private/var/folders/*/MyNew.app/Contents/MacOS/MyNew.

Most of my apps do something a little unusual when they first start up: they perform a check on their own signature, to ensure that they haven’t been damaged or tampered with. I introduced these some years ago, at a time when such checks were only performed when quarantined apps were first run. I’m not aware that they should cause any problems in translocation, unless macOS decides to intervene. I also test every release of every app I make available here by adding a quarantine flag and checking that it opens correctly; they invariably do, and confirm that the app has been correctly notarised too.

So now I advise users, not only when installing my apps but for all software, to unarchive the download and move the app into one of the standard Applications folders, which seems to be what macOS expects us to do. That way the third of Jeff Johnson’s criteria doesn’t apply, and the app isn’t translocated for its first run. If you’d rather put an app in a different location, that too should be fine, provided that you move the app from its download location using the Finder.

Recommendations

If you download any app, install it by moving it in the Finder to a different location, such as one of the standard Applications folders, before you try running it for the first time.
If you run any app for the first time and it crashes immediately, use the Finder to move that app to a different location. It may well then work fine.

Postscript

Jeff Johnson @lapcatsoftware has kindly informed me that even successfully running a quarantined app which has been translocated won’t result in its quarantine flag being cleared, so condemning it to eternal translocation until you do move it using the Finder.

He also reports that moving an app with a quarantine flag, which would be translocated, inside an existing folder doesn’t relieve it from translocation, even if that folder is moved into a regular Applications folder. I’ll be looking in more detail at these in the near future.

12Comments

Add yours

1

Macintoshista on September 6, 2022 at 7:00 am

I suppose you could distribute your apps via an installer which will place the apps in a sensible location, e.g. The Applications folder. Having said that I hope most readers of your blog are reasonably tech savvy and move apps to an appropriate location so it could be an unnecessary overhead.

LikeLiked by 2 people
- 2
  
  hoakley on September 6, 2022 at 8:08 am
  
  Thank you.
  Actually installers don’t make things any easier, and this problem appears very infrequent. I don’t understand why it happens, and can’t reproduce it here at all, so can’t test against it.
  The only ways to work around it are to use the same techniques used by malware to avoid it, which really isn’t good!
  Howard.
  
  LikeLiked by 2 people
3

Christian on September 6, 2022 at 7:22 am

Thanks for this (again) very interesting article! We always discover something new, reading you…
I’ve got a few questions, though:
– does copying the file in the Finder to a different location work the same as moving it? (I’ve set my Downloads and Uncompressed folders on a different drive — and I’ve probably ditched many apps after unsuccessfully trying to run them from there… 😉 )
– as I understand rule #3, unarchiving the download directly into one of the standard Applications folders (by modifying Archive Utility.app’s prefs or with an app such as BetterZip) won’t be enough? It’s the “moving” it manually that is important, right?

LikeLiked by 2 people
- 4
  
  hoakley on September 6, 2022 at 8:10 am
  
  Thank you.
  – the copy shouldn’t be translocated. However, should you try the unmoved original, I guess that might still be.
  – no, the move into another folder really needs to be done in the Finder to be confident that translocation won’t then occur.
  Howard.
  
  LikeLiked by 1 person
5

Bryan Christianson on September 6, 2022 at 7:47 am

A few years ago Patrick Wardle posted a very comprehensive blog on translocation at https://objective-see.com/blog/blog_0x15.html

He describes the problems both solved and caused by translocation and gives code for an effective way for an application to bypass it.

LikeLiked by 2 people
- 6
  
  hoakley on September 6, 2022 at 8:13 am
  
  Thank you. Yes, it’s a detailed look, primarily from the security aspects, and Patrick’s own problems with his apps.
  The annoying factor here is that none of my apps do anything in the least bit suspect. They don’t self-modify at all, just check their own signatures. Yet some (and only a very few) users report this problem. It’s crazy to have to make such changes to address what can only be a bug in the translocation system, and not to be able to identify the bug either.
  Howard.
  
  LikeLiked by 1 person
7

eyelessjerry on September 6, 2022 at 7:54 am

Haven’t thought much about that (maybe because it hasn’t been much of a problem), but oddly enough I encountered this yesterday in getting an old CrashPlan client to work under macOS Monterey (to use an old standalone CrashPlan server on a Mac, now discontinued on all systems). Had to remove that temporary folder, but still not exactly sure on where I made a correct move to get it working (problem was there were no backup of the old computer and important files are often saved in /Library (that should normally not be needed, but unfortunately left out by default on most apps like Backblaze etc).

LikeLiked by 1 person
8

Ronald P. Regensburg on September 6, 2022 at 7:32 pm

I encountered this issue several years ago with the emulators BasiliskII and SheepShaver. I distribute regularly updated builds of these apps in zip archive from the emaculation.com site. Some users had the apps crash.
It appeared to be a security feature in macOS that will not allow an app to run unless it has been intentionally installed by the user. The feature was introduced in macOS 10.12 (Sierra).
My advice was then, and still is, to make a copy of the app in a different location, trash the original, and move the copy back to where the original was. It always works.

LikeLiked by 1 person
- 9
  
  hoakley on September 6, 2022 at 8:15 pm
  
  Thank you.
  What puzzles me is that macOS should deliberately crash an app which isn’t trying to change its code, but is merely checking its integrity using the macOS security API. Surely apps should be encouraged to do that?
  Howard.
  
  LikeLike
10

Move Downloaded Mac Apps Before Initial Launch - TidBITS on September 6, 2022 at 7:34 pm

[…] his Eclectic Light Company blog, Howard Oakley builds on old research from Jeff Johnson to explain Apple’s minimally documented App Translocation security mechanism. In short, Gatekeeper in macOS protects against malicious plug-ins within benign apps by opening […]

LikeLike
11

Vic on September 6, 2022 at 7:49 pm

I ran into this issue with your apps in the past. I soon discovered that moving the app out of the folder it arrived in would stop the annoying translocation behaviour, just as mentioned in your postscript.

LikeLiked by 1 person
- 12
  
  hoakley on September 6, 2022 at 8:16 pm
  
  Thank you, and my apologies on behalf of macOS.
  Howard.
  
  LikeLike