You’re probably aware of App Translocation, formally known as Gatekeeper Path Randomisation (GRP). Since macOS Sierra, it has quietly moved some apps when they’re first run with a quarantine flag set, to a random location, to prevent them from pulling any tricks with plug-ins and the like. When it works correctly, it’s completely transparent to the user, and quite difficult to detect. This article explores how App Translocation is triggered in macOS Ventura 13.3.1, and how different it has become since Sierra.
How did it work?
There are only two official descriptions of App Translocation. That in Apple’s Platform Security Guide is too vague to be of much help: “When necessary, Gatekeeper opens apps from randomised, read-only locations. This is designed to prevent the automatic loading of plug-ins distributed alongside the app.”
Most recently, Quinn “The Eskimo!” of Apple’s Developer Technical Support has explained: “The exact circumstances where the system translocates an app is not documented and has changed over time.”
To learn how it used to work, we have to turn to Jeff Johnson’s detailed exploration from almost seven years ago, and the rules he discovered then. When the following apply, the first time that you run any quarantined app on your Mac, it will be translocated to a random read-only location within that system volume group:
- the app has a com.apple.quarantine extended attribute;
- the app must be opened by Launch Services (normally the Finder) rather than a command shell;
- the app hasn’t been moved by the Finder from the folder it was unarchived or downloaded to, wherever that was.
The third condition includes the folder the app is contained in: if you decompress an app inside a folder, and move that folder to the Applications folder, when you run that app it will still be translocated. Jeff also points out that, unless you move the app from the folder causing its translocation, its quarantine flag won’t be cleared, so condemning that app to eternal translocation until you move it using the Finder.
How to tell when it happens?
Quinn suggests using
ps xw | grep AppName while the app is running, to discover its translocation path.
For more detailed analysis, the log is your friend. The following four entries are a giveaway, and only need the first second after launch to capture them:
0.770644 Finder AppKit sendAction:
0.776432 Finder LaunchServices LAUNCH: Opening file:///Applications/Sparsity.app/ with 0 items on behalf of 392 role=e flags=8000001 (null)
0.784192 SecWarning lsd Security SecTranslocateCreateSecureDirectoryForURL: created /private/var/folders/zy/jmx4mdfx6s36fdtd0_4ndl7c0000gn/T/AppTranslocation/613DF902-6BE1-4C37-A4C2-349AA050923C/d/Sparsity.app
0.787651 Finder LaunchServices LAUNCH: translocate to file:///private/var/folders/zy/jmx4mdfx6s36fdtd0_4ndl7c0000gn/T/AppTranslocation/613DF902-6BE1-4C37-A4C2-349AA050923C/d/Sparsity.app/ from file:///Applications/Sparsity.app/
The first entry marks the last of the clicks used to open the app in the Finder, following which LaunchServices announces the app is to be opened. The two entries after that established the translocation destination.
What triggers translocation in 13.3.1?
Surprisingly, the third condition, of not moving the app or the folder it’s enclosed in, is no longer required for App Translocation to occur. In testing both within a VM and a regular Ventura system, translocation frequently occurs on quarantined apps even after they have been moved to the main Applications folder. It’s not entirely consistent, though: one app downloaded from the internet didn’t undergo translocation, while two others did, so there appears to be a random element involved.
The first condition also failed: apps that had successfully cleared quarantine underwent translocation repeatedly, even though they were being run from the Applications folder and the quarantine flag had been cleared. In one case, an app was translocated three times in succession:
- When first run, with the quarantine flag set, in Applications
- When run a second time, with the quarantine flag cleared (but still present), after shutting that VM down and opening it again, in Applications
- When run a third time, with the quarantine flag cleared (but still present), after shutting that VM down again and opening it, in Applications
The only condition that consistently avoided translocation from occurring was removal of the com.apple.quarantine (and com.apple.provenance) extended attributes.
In macOS 13.3.1, App Translocation (GRP) occurs when a quarantined app is first run from the same folder it arrived in, and can occur on any other launch provided the app still has a com.apple.quarantine extended attribute attached, whether that’s set or cleared. The only way to prevent App Translocation from occurring is to strip the com.apple.quarantine extended attribute from the app.