On Gatekeeper and the Lifespan of Little Snitch Rules

The Protagonists

Gatekeeper is a security feature of macOS. Among other things it makes sure that apps that are in quarantine (= were downloaded from the internet or received via AirDrop) are temporarily moved to a private location when launched, until the user explicitly moves them to their final destination (like the Applications folder) – a procedure also known as “app translocation” or “path randomization”.

So far, so good. What does this mean in combination with Little Snitch?

Little Snitch rules partially are based on an app’s or process’ path – the sequence of folders and subfolders the app currently is residing in on your disk. If that changes (the app is moved) then the rules cease to be valid.

The Problem

If you put these two things together it becomes impossible to create permanent (“Forever”) rules in Little Snitch for apps that are still in quarantine, because each time they are launched they will be launched from a different path. You know this is the case if the Little Snitch Network Alert shows something like /private/var/… in the path of the app.

The Vanilla Remedy

Normally the solution is to not launch the app you downloaded right from the Downloads folder but to simply move it to a proper location, like the Applications folder. Piece o’cake.

But what if you, the user, did not download the app consciously. What if some software update process downloaded it in the background. Or what if it's not the app itself but some sub-part (e.g. a helper XPC process) that is still under quarantine?

That should normally be taken care of by the developer of the software that initiated the update or uses the helper. They should make sure that all these updates and parts are de-quarantined before being used.

Well, should. But some don’t.

The Black Sheep

We’ve had several reports of customers that tried to create rules in Little Snitch for some app and had to do this over and over again because the rules just didn’t stick. On further investigation it turned out that the app, or a part of it, still was under quarantine and therefore launched by Gatekeeper from a different path each and every time.

So what’s the solution?

The Tinker Remedy

Well, the best solution of course would be that app developers properly de-quarantine all parts of their software when downloading updates.

But what can the user do, if the developers don't deliver?

You can de-quarantine all parts of an application yourself. Just launch the Terminal app (/Applications/Utilities/Terminal.app), enter the following command and press Return:

sudo xattr -dr com.apple.quarantine "/Applications/SomeApp.app"

The /Applications/SomeApp.app part of course is to be replaced by the name of the app in question and the folder it resides in.

This will remove the quarantine flags of the app itself and all parts of it – if they all reside inside the .app wrapper (which they should).

And after doing that please write a friendly reminder email to the guys that created that app… :)