What causes App Translocation?

You’re probably aware of App Translocation, formally known as Gatekeeper Path Randomisation (GRP). Since macOS Sierra, it has quietly moved some apps when they’re first run with a quarantine flag set, to a random location, to prevent them from pulling any tricks with plug-ins and the like. When it works correctly, it’s completely transparent to the user, and quite difficult to detect. This article explores how App Translocation is triggered in macOS Ventura 13.3.1, and how different it has become since Sierra.

How did it work?

There are only two official descriptions of App Translocation. That in Apple’s Platform Security Guide is too vague to be of much help: “When necessary, Gatekeeper opens apps from randomised, read-only locations. This is designed to prevent the automatic loading of plug-ins distributed alongside the app.”

Most recently, Quinn “The Eskimo!” of Apple’s Developer Technical Support has explained: “The exact circumstances where the system translocates an app is not documented and has changed over time.”

To learn how it used to work, we have to turn to Jeff Johnson’s detailed exploration from almost seven years ago, and the rules he discovered then. When the following apply, the first time that you run any quarantined app on your Mac, it will be translocated to a random read-only location within that system volume group:

the app has a com.apple.quarantine extended attribute;
the app must be opened by Launch Services (normally the Finder) rather than a command shell;
the app hasn’t been moved by the Finder from the folder it was unarchived or downloaded to, wherever that was.

The third condition includes the folder the app is contained in: if you decompress an app inside a folder, and move that folder to the Applications folder, when you run that app it will still be translocated. Jeff also points out that, unless you move the app from the folder causing its translocation, its quarantine flag won’t be cleared, so condemning that app to eternal translocation until you move it using the Finder.

How to tell when it happens?

Quinn suggests using ps xw | grep AppName while the app is running, to discover its translocation path.

For more detailed analysis, the log is your friend. The following four entries are a giveaway, and only need the first second after launch to capture them:
0.770644 Finder AppKit sendAction: 0.776432 Finder LaunchServices LAUNCH: Opening file:///Applications/Sparsity.app/ with 0 items on behalf of 392 role=e flags=8000001 (null) 0.784192 SecWarning lsd Security SecTranslocateCreateSecureDirectoryForURL: created /private/var/folders/zy/jmx4mdfx6s36fdtd0_4ndl7c0000gn/T/AppTranslocation/613DF902-6BE1-4C37-A4C2-349AA050923C/d/Sparsity.app 0.787651 Finder LaunchServices LAUNCH: translocate to file:///private/var/folders/zy/jmx4mdfx6s36fdtd0_4ndl7c0000gn/T/AppTranslocation/613DF902-6BE1-4C37-A4C2-349AA050923C/d/Sparsity.app/ from file:///Applications/Sparsity.app/

The first entry marks the last of the clicks used to open the app in the Finder, following which LaunchServices announces the app is to be opened. The two entries after that established the translocation destination.

What triggers translocation in 13.3.1?

Surprisingly, the third condition, of not moving the app or the folder it’s enclosed in, is no longer required for App Translocation to occur. In testing both within a VM and a regular Ventura system, translocation frequently occurs on quarantined apps even after they have been moved to the main Applications folder. It’s not entirely consistent, though: one app downloaded from the internet didn’t undergo translocation, while two others did, so there appears to be a random element involved.

The first condition also failed: apps that had successfully cleared quarantine underwent translocation repeatedly, even though they were being run from the Applications folder and the quarantine flag had been cleared. In one case, an app was translocated three times in succession:

When first run, with the quarantine flag set, in Applications
When run a second time, with the quarantine flag cleared (but still present), after shutting that VM down and opening it again, in Applications
When run a third time, with the quarantine flag cleared (but still present), after shutting that VM down again and opening it, in Applications

The only condition that consistently avoided translocation from occurring was removal of the com.apple.quarantine (and com.apple.provenance) extended attributes.

Conclusions

In macOS 13.3.1, App Translocation (GRP) occurs when a quarantined app is first run from the same folder it arrived in, and can occur on any other launch provided the app still has a com.apple.quarantine extended attribute attached, whether that’s set or cleared. The only way to prevent App Translocation from occurring is to strip the com.apple.quarantine extended attribute from the app.

5Comments

Add yours

1

Jeff Johnson on May 9, 2023 at 10:35 am

My 2016 article said, “First, the app must have a com.apple.quarantine extended attribute. If you delete the quarantine xattr, then App Translocation does not occur, and the app will launch from where it was unarchived, like normal.” I didn’t mention anything about a quarantine flag.

It’s interesting that Quinn’s Apple Developer Forums post says, “Your best option here is to make your app work properly when translocated”, completely ignoring the problem I mentioned in my article: “App Translocation prevents software update mechanisms such as Sparkle from working.”

LikeLiked by 2 people
- 2
  
  hoakley on May 9, 2023 at 10:57 am
  
  Thank you, Jeff. I have corrected that.
  Howard
  
  LikeLike
3

Michael Tsai - Blog - App Translocation in Ventura on May 10, 2023 at 7:17 pm

[…] Howard Oakley: […]

LikeLike
4

Peter N Lewis on May 11, 2023 at 3:26 am

When you were moving the application, were you **using the Finder**? I distribute Keyboard Maestro as a .zip file, and while I have had occasional reported issues with App Translocation, I have never heard of anyone who could not remove the issue by moving the application to the Applications folder **using the Finder**.

LikeLiked by 1 person
- 5
  
  hoakley on May 11, 2023 at 5:54 am
  
  Yes.
  I wasn’t actually looking for App Translocation at all, but working on my research into the com.apple.provenance xattr. As I have described in the diagram and text there, every step here was performed in the GUI: download/transfer using Safari or AirDrop into Downloads, unZip there by double-clicking, move in the Finder from the download folder into the main Applications folder, launch there by double-clicking in the Finder. Even the log excerpts were obtained using the GUI!
  But you’re referring to problems resulting from App Translocation. I didn’t see any, but each time I went to look for the provenance entries in the log, I noticed the app was being translocated. In the end, I gave up trying to avoid translocation, as the only reliable way to do that was to strip the quarantine xattr, which of course meant that no provenance xattr was applied.
  Howard.
  
  LikeLike

How did it work?

How to tell when it happens?

What triggers translocation in 13.3.1?

Conclusions

Share this:

Like this:

Related