hoakley October 24, 2023 Macs, Technology

Where Safari hides and bundled apps crash

If you’re running Ventura or Sonoma, you may have noticed that Safari, the app, behaves strangely. Look in your main /Applications folder, and it’s shown just as you’d expect, but look in the folder containing all the other bundled apps, in /System/Applications, and it’s missing. So just where is the Safari app, then?

This becomes more of a mystery if you have a second bootable volume group available, either installed alongside your main one, or on an external disk. Look on that System volume when your Mac hasn’t booted from it, and not only is Safari not in /System/Applications, but it’s even missing from its main /Applications folder. Indeed, the only apps you’ll see there are those you installed on that system. If you haven’t added any, then /Applications is completely empty apart from an empty Utilities folder.

The reason for Safari’s odd behaviour is that it isn’t installed on either the System or Data volume now, as it used to be in Monterey and earlier. In those days, to ensure that Safari could be updated outside full macOS updates, it was installed on the Data volume. From Ventura onwards it comes wrapped in a Cryptex, a secure disk image that’s loaded during the boot process, and that locates its copy of Safari in the /Applications folder.

Cryptexes, and the system snapshot that forms the Signed System Volume (SSV), are only mounted when they’re part of the active boot volume group. Your inactive boot volume group thus doesn’t mount its Cryptex containing Safari, or its SSV containing all the other bundled apps. So you can’t see them where they aren’t on your boot volume.

Just when you think you’ve got your head around that, try running one of the bundled apps from that inactive boot volume group, from its /System/Applications folder. You’ll discover that’s impossible, as macOS crashes the app immediately it tries to start up, complaining of a Code Signature Invalid error.

How come a perfectly valid and undamaged copy of one of the bundled apps can’t be run from an inactive boot volume group?

This is because macOS will only run those bundled apps from a mounted SSV, and not from a different bootable system. Since Ventura, the macOS security system has applied Launch Constraints to certain types of code, which among other things only lets you run bundled apps from their expected locations, on the SSV and (in the case of Safari) from a mounted Cryptex. Those launch constraints are assembled into Trust Caches, and the only way that you can break their rules is to turn System Integrity Protection (SIP) off.

That’s why, even if you manage to make a copy of one of the bundled apps in Ventura or Sonoma, the security system won’t allow you to run it, as that copy fails to meet its Launch Constraints.

Summary

In Ventura and Sonoma:

Safari is run from a Cryptex, so only appears for the active boot volume group.
You can’t run bundled apps in inactive boot volume groups.
Neither can you run copies of bundled apps.

14Comments

Add yours

1

Enzo Vincenzo on October 24, 2023 at 6:54 am

Cryptex?… It reminds me of something… 🙂 . Maybe someone was inspired by Dan Brown and Leonardo [The Da Vinci Code]. But will they have received copyright rights? And do you think that inside the Cryptex we could also find where the Aliens, Noah’s Ark, etc. are hiding and not just Safari? 🙂

LikeLiked by 1 person
- 2
  
  hoakley on October 24, 2023 at 12:24 pm
  
  Thank you. You are correct in your reference to the original use of the term Cryptex, although Dan Brown was referring to something fictional and completely different. As this is a term used by Apple, and not the name of a product or service, I don’t think there’s any issue of intellectual property involved in its reuse.
  I’ll let you discover whether there’s anything more inside Apple’s Cryptexes, although one app that is there alongside Safari is the master Web App used by Sonoma’s new Web Apps.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Enzo Vincenzo on October 24, 2023 at 7:23 pm
    
    But I was joking, Howard… 🙂 Did I make you think I was being serious? 😉
    
    LikeLiked by 1 person
    - 4
      
      hoakley on October 24, 2023 at 7:37 pm
      
      Not at all. I just kept the joke going.
      Howard
      
      LikeLike
5

Tudorminator on October 24, 2023 at 11:10 am

More security theatre, while the usability and usefulness of macos goes further down the drain…

LikeLiked by 1 person
- 6
  
  hoakley on October 24, 2023 at 11:23 am
  
  Could you please explain why you think this is “security theatre “, and how this reduces the “usefulness” of macOS?
  Howard
  
  LikeLike
  - 7
    
    Tudorminator on October 24, 2023 at 12:47 pm
    
    Off the top of my head I distinctly remember having 2 different versions of macOS and using the Disk Utility from only one of them, regardless of which was booted at that particular moment, because the other version was buggy.
    
    I may have spoken hastily regarding the ”usefulness” of macOS, sorry to vent my frustrations like that. What I was trying to say was that Apple keeps adding ”features” that no one has asked for, while completely ignoring known bugs, including glaring UI issues that clearly affect usability.
    
    After being stuck on Catalina (by no means a highlight in quality) for a long time on my personal mac, I recently got a work M2 MacBook Pro with Ventura, which is a new experience for me. Everyday is now a parade of small annoyances and things that are not working as they used to (or are supposed to), and after 8-10 hours they surely add up to a markedly poorer experience, for me at least.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on October 24, 2023 at 5:17 pm
      
      I have news for you about iCloud Drive. Hopefully my article will be ready for the morning, and should explain what happened and why.
      Howard.
      
      LikeLike
9

frpsr on October 24, 2023 at 11:58 am

Security Theatre has an alarming ring suggesting the manner which control , especially including heat & fire , or pain , is lost .
Hoping against drama has been a fault that intentions , and all the implied gold , despite the location has yet to sway my fate . Perhaps corrupting a simple Hollywood plan has swayed the susceptible .
I am certain the reason she chose the gin joint , of all the places represented , was because of drama the director selected . I could be wrong . FRPSR

LikeLiked by 1 person
10

Fred K on October 24, 2023 at 5:15 pm

My head is indeed about to pop off. So how is that specific application package bound to the Cryptex? And how is the Cryptex, in turn, bound to a specific boot volume? I’m assuming unique identifiers are in play here but not sure how.

LikeLiked by 1 person
- 11
  
  Fred K on October 24, 2023 at 5:17 pm
  
  Forgot to also ask if this is just a matter of hashes, thanks.
  
  LikeLiked by 1 person
- 12
  
  hoakley on October 24, 2023 at 5:20 pm
  
  Safari (and a few other things, including the Web App app) are contained in a Cryptex that’s loaded during the boot process. I’ve described how they’re validated and mounted elsewhere. When mounted, they’re grafted into the file system, allowing Safari to appear in the main Applications folder.
  Howard.
  
  LikeLiked by 1 person
13

Fred K on October 24, 2023 at 5:31 pm

Thanks for the reference. And thanks for sharing your knowledge, Apple hasn’t updated the APFS reference in what, three years?

LikeLiked by 1 person
- 14
  
  hoakley on October 24, 2023 at 5:43 pm
  
  Yes. Last revision 22 June 2020.
  Howard
  
  LikeLike

·Comments are closed.

Summary

Share this:

Related