Why some Mac apps launch slowly: A follow-up
a year ago
- #macOS
- #syspolicyd
- #app-launch
- The slow app launches are caused by the `syspolicyd` process, specifically the `DispatchQueue 'com.apple.security.syspolicy.yara'`.
- Howard Oakley denies the malware scan theory, citing reasons like file size limits in XProtect Yara rules and lack of log entries for Yara scans.
- Spindump evidence shows `syspolicyd` performing malware checks triggered by `dlopen` function calls when loading dynamic libraries.
- Oakley proposes an alternative theory involving SHA-256 hash computations for app framework files, suggesting cache misses cause delays.
- The author disputes Oakley's hash cache theory, pointing out lack of empirical evidence and questioning the utility of such a cache.
- Universal binaries complicate performance measurements, as checks might only apply to the active architecture, not the entire file size.
- The author concludes that Oakley's observations align with their earlier findings, with no new substantive evidence presented.