The app that won’t go into quarantine

There are only five years to go before we’ll celebrate the century of PTFE, branded widely as Teflon™, the miracle non-stick polymer that has saved countless lives in aortic grafts, innumerable wet bodies in Gore-Tex® waterproof clothing, and burned frying pans by the million. Today I’m going to demonstrate the non-stick app, that just shrugs off any quarantine flags or other extended attributes you try to attach to it, thanks to the research of Csaba Fitzl @theevilbit and Jonathan Bar Or @yo_yo_yo_jbo.


For the purposes of this demonstration, I provide a fully signed and notarized app of mine, Sparsity, used for generating test sparse files. In macOS Ventura 13.3.1, if you download it from its Product Page and run it, Gatekeeper will ask you to confirm that action, because it has a quarantine flag set. Follow these steps and you’ll get Sparsity without any quarantine flag at all.

First, ensure your browser doesn’t automatically open or decompress the files it downloads. If it does, then it will ruin the demo.

Then download the Zip archive of Sparsity from here: sparsityfolder

Move into a working folder named something like 0sparsity, inside your Documents folder. Open Terminal, and cd to ~/Documents/0sparsity, then unzip the archive with the command
That will create another compressed archive, sparsityfolder.aar, which you extract using aa in the command
aa extract -i sparsityfolder.aar -o Sparsity
Note that if you try using other methods of unzipping and decompression, they’re likely to fail, strip the ACL and your copy of the app will get a quarantine flag as usual.

That should create Inspect it using
ls -le
and you’ll see that it has an unusual Access Control List:
drwxr-xr-x+ 3 hoakley staff 96 9 Apr 21:25
0: group:everyone deny writeattr,writeextattr

As a result of that, and unlike the archives it came in, doesn’t have any quarantine flag, and the only extended attribute it seems prepared to accept is, which is rather more special. Try adding a quarantine flag using xattred, for example, and it refuses to accept it, because its ACL has been preserved from when I first set it here, right through to it being decompressed on your Mac.


This behaviour was first described by Jonathan Bar Or of Microsoft 365 Defender Research Team, who used an AppleDouble file for what was a vulnerability, as it could be used maliciously. This was reported to Apple, and fixed in macOS Monterey 12.6.2, Big Sur 11.7.2, and Ventura 13.

ACLs are so powerful that they can be used to block the attachment of extended attributes, including quarantine flags of type While they’re normally preserved within a Mac’s own storage, once you archive an app or file and transfer it by AirDrop or over the internet, they normally get stripped, allowing the downloading Mac to attach the quarantine flag you’d expect. That didn’t apply to AppleDouble files, which could therefore be abused to install executable code that wouldn’t be quarantined.

This variation on the same theme was devised by Csaba Fitzl, who published it in a tweet. As of Ventura 13.3, Apple has closed that vulnerability too, although it remains possible to abuse the command tool aa as shown above.

Sparsity itself doesn’t pull any tricks, and the demo relies on using the aa command tool to preserve the ACL. That’s added to the app using a command like
chmod +a "everyone deny writeattr,writeextattr"
and you can confirm the ACL is in place with
ls -le
to reveal
drwxr-xr-x+ 3 hoakley staff 96 1 Apr 2021
0: group:everyone deny writeattr,writeextattr

The app is then put into a folder (to cater for aa‘s foibles in dealing with bundles), and the folder archived using
aa archive -d SparsityFolder -o sparsityfolder.aar

But if you use Archive Utility or any other decompression tool apart from aa, the ACL will be stripped, and a quarantine flag attached. Only when you use
aa extract -i sparsityfolder.aar -o Sparsity
will the ACL be preserved and the quarantine flag, and almost all other extended attributes, will be refused.

Does this ACL have a benign use?

I’m no fan of ACLs, and given the important roles that extended attributes play, not just in security, one simple answer would be for macOS to ignore this one.

That said, I can see one potential use. macOS now freely attaches quarantine and other extended attributes to regular documents that have never left that Mac, and sometimes these get into a twist. The end result can be a perfectly good app, even a bundled app like Preview, refusing to open or save a document because of a clash over extended attributes. It has been a while since I last saw this here, but some seem to suffer repeatedly. Maybe applying this ACL to a document could prevent those problems, or maybe it would make them even worse.

Whatever you do, though, don’t use this as an elaborate way of sneaking executable code past Gatekeeper’s full quarantine checks. There are much simpler ways, and you should only ever contemplate using them when you fully understand the risks and consequences.