Lollipop on Nexus 4 – strange problem and even more surprising fix

I installed Android 5.0 Lollipop the day it became available for my Nexus 4. No waiting for OTA updates (which seldom work for me since I’m invariably running a non-stock kernel), so I simply took the factory image and then flashed the radio, bootloader, and each partition (bar recovery) one by one. One long boot later, and we were up and running.

I’ve been loving Lollipop ever since! It’s the slickest and most natural phone OS I’ve experienced yet, and shows iOS up as having the seriously restricted last gen UI it does. Two killer enhancements for me are the new model for notifications on the lock screen, since where my phone has work email/network access it’s necessarily always locked behind a long password (and I’m forbidden to root it anymore), and the idea of trusted devices (which I know the Moto G already had) which means that when I’m in my car and paired to my trusted BT handsfree said long password is disabled. Anyhow, I did have one annoying strange problem …

Whenever I tried to side load an APK, I couldn’t click on the install button. Literally you’d touch the screen and it’d show no response at all to the button. This was a real pain since many work specific applications are distributed via MaaS360 MDM which installs them locally and hence I couldn’t install any updates at all! When I first noticed the problem after running Lollipop for a day or two I tried Googling but found nothing useful, and put it down to something unique to me that I would have to try and fix one day via something radical like my first ever fresh install on this phone. Then the other day I was frustrated by it yet again and tried searching again, and found my saviour on reddit.

The reality is that this is actually a new security feature on Lollipop! I run Lux to give me more control over screen brightness, and when active Lux runs a “filter” over the screen to allow it to do things like night colour changes (not that I use night mode). Lollipop now disables the install button when it detects a screen filter being run, lest you are tricked into thinking you’re performing one action by an overlaid filter whilst actually installing some malware as a side loaded APK. Makes sense, apart from when you’ve not the foggiest there’s a totally transparent filter applied by one of the applications you run and you can’t work out why you can’t install things!

Quickly tapping the pause button on Lux removes the filter, and huzzah the install button is clickable again!

A quick Shellshock test on my MBP

If you’ve not read about Shellshock yet today, you probably should. For most people it’ll mean little in reality and the net impact will be an urgent security update, assuming they’re on OS X or Linux. Of course a different question is how overblown the press will make reports of Shellshock, given the panic they spread around Heartbleed earlier in the year!? You can always tell how good a job they’ve done at worrying people when friends and family phone you up and start with the phrase “you’re a geek … should I be worried about <insert technology issue>”.

Of course it is always concerning when a vulnerability is as long historically long lived and widespread as Shellshock seems it could be. Obvious things will be patched quickly, but there’ll be those old systems sat in the background that never will be. However, despite all the doom and gloom that will be spread about it “taking over entire websites”, the typical question of how a hacker is going to get to remotely execute said vulnerability-exploiting bash script in the first place remains!?

Starting with the most obvious, a quick check on my MBP running OSX 10.8.5 shows that it is indeed vulnerable.

bash --version
GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin12)
Copyright (C) 2007 Free Software Foundation, Inc.

And executing a standard test example …

env x='() { :;}; echo vulnerable' bash -c 'echo to me stealing all your money'
to me stealing all your money

However, probably more importantly SSHing into my router running DD-WRT shows that it’s not got bash enabled.

Will be interesting to see how this one develops and whether I’ll get any phone calls!?