The January Android security patch is out and it fixes one of the most annoying Android bugs that crop up over time: certain apps can prevent you from contacting 911 or other global emergency numbers.
In early December, a harrowing story surfaced in the Google Pixel subreddit of a user whose Pixel 3 crashed when they needed it most: while calling 911 for their grandmother who “appears to be having a stroke.” The entire phone subsystem seemed to crash immediately when calling emergency services, with user “KitchenPicture5849” saying they couldn’t get the call to connect or hang up to retry the call. Fortunately, a landline was available nearby after their Android phone failed, and emergency services were contacted.
After the crisis was over, the user gave another chance to call 911 from his smartphone, and Android crashed again, indicating that it was not a one-time bug. A check of their phone bill also revealed that KitchenPicture5849 never actually connected to 911. They say they’ve also gotten a few other DMs from users who reported having the same bug.
Google contacted the user and publicly responded to the post on December 8:
Based on our research, we were able to reproduce the issue under a limited number of conditions. We believe that the issue only occurs on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently aware of only one user report regarding the occurrence of this bug. We’ve determined that the issue was caused by inadvertent interaction between the Microsoft Teams app and the underlying Android operating system. Microsoft has been working closely with Google to resolve this accidental interaction.
Google said Microsoft would push an app update as soon as possible and users should check for an update in the Play Store. The company also said an OS-level patch would be released a full month later, early January (that is today). Subsequently, Google made no further comments on the matter.
Why apps can break 911
Delay. Microsoft Teams Destroyed 911? Random Android apps can break emergency services functionality? How? Why can third-party apps come within 300 meters of such a critical function? Are there any other apps that break 911, or just Microsoft Teams? While Teams was being fixed, was it really OK to let Android users hang around with this OS-level bug for a month, especially when we have no idea if other apps are doing it? Since Android is Android, many phones will never get a patch anyway. How can users know that emergency services will be working? Other than having to wait a month for a solution, Google didn’t answer.
Fortunately, some very smart people in the Android community were able to provide the answers that Google wouldn’t share. Mishaal Rahman, the Senior Technical Editor for Esper, wrote an incredible Medium post describing how the bug works and why it happens. Apps on Android with phone call functionality can register a “PhoneAccount” with the system, indicating that they have some ability to make calls. There are a few flags that apps can set with PhoneAccount, including one called ‘CAPABILITY_PLACE_EMERGENCY_CALLS’. When it’s time to call 911, Android sorts through the list of registered phone accounts and chooses one. This all seems fine so far.
One of several bugs identified in Rahman’s post is that Microsoft Teams registers an additional PhoneAccount with the system every time Teams starts up, provided you’re not logged in. Note that this is not the rare case of Microsoft Teams being installed and then never used – a common complaint of the Teams Android app is that users are often automatically logged out. If you are logged out, launching Microsoft Teams 10 times will cause 10 duplicate Teams PhoneAccounts to clog your phone. Teams shouldn’t be doing this, and Microsoft’s update has stopped Teams from doing so, but a couple of duplicate PhoneAccounts shouldn’t be enough to bring the Android phone system to its knees either.
Next bug: When choosing a phone account to make the emergency call, Android goes through a complicated sorting process to figure out which account to use. The last step in this sorting process, the tiebreaker, is sorting by hashcode. The hash code comparison simply subtracts one hash code from another. But just like that stupid Y2K22 Microsoft Exchange bug recently, it’s possible that it results in an integer over or underflow, and now the telephone subsystem will crash. Google’s code has bugs, but since it’s the latest sort tiebreaker after trying more obvious things like package name, it should only be called in the very specific case of an app spawning duplicate PhoneAccounts. So thank you, Microsoft!
Google’s fix for this bug is here, titled “Fix the integer over/underflow caused by sorting duplicate phone accounts during an emergency call attempt.” Instead of subtracting one hash code from the other and potentially encountering a very large or very small number that crashes the system, Google now outputs the two numbers via the java function “Integer.compare”. This returns only -1, 0, or 1, indicating a smaller, identical, or larger comparison result.
If you’re anything like me at first and wondering why Android searches phone accounts instead of just using the default account on the SIM, I’ll take a guess and say this was an attempt to make 911 work no matter what . Just in case the main account doesn’t work, Android wants a list of all possible phone accounts it can try, and it wants to do that automatically, to connect to 911 by any means necessary. This sorting system only exists for contacting emergency services, that’s why regular phone calls will still work for the affected users.
A third flaw in this mess is that Microsoft Teams doesn’t even register itself as an emergency call handler† Teams created a million PhoneAccounts, and it didn’t use the “CAPABILITY_PLACE_EMERGENCY_CALLS” flag, but it broke 911 anyway. Google’s sorting process starts with the query all phone accounts when a better first step would be to start with anything emergency call possible phone bills. Google is taking an even more drastic fix for this latest bug, removing every “self-managed” phone account from the system’s 911 process. “Self-managed” Android phone accounts, such as Microsoft Teams, get more direct access to the Android telephony stack and can use their own features. The Android emergency calling system now only considers simpler phone carriers that plug into the standard phone app, such as your carrier account. All those other VoIP apps can probably still be used to contact 911 yourself (many countries have 911 functionality required by law). But if you open the default dialer and hit “911,” Android will only choose from standardized, system-managed phone accounts.
Who gets a patch and how to check for the 911 bug
Rahman says Google’s bug for this is CVE-2021-39659, which the monthly security bulletin categorizes as a very serious “denial of service” vulnerability with patches for devices running Android 10, 11, and 12. In the Android codebase, Google is revert this fix to Android 8.0, which is no longer technically supported. This is mostly purely theoretical as zero manufacturers are actually pushing security updates to devices this old. But the code is there if anyone wants it.
Android’s phone stack isn’t an easy-to-update Project Mainline module (yet?), so the only way to get a fix is through Android’s January 2022 monthly security update. Samsung should have every phone on this list starting this week. update, while Google releases fixes for the Pixel 3a, 4, 4a, 5 and 5a. Updating: An emergency call update for the end-of-life Pixel 3 is also coming.
An update is not arrives before the Pixel 6. Google’s latest flagship is going through a bit of an update crisis right now. The December 2021 update has been withdrawn due to unrelated “mobile connectivity issues” (phone calls not working). While Google is making every effort to fix everything, the next Pixel 6 update with this 911 fix is expected in “late January.” Until then, it’s normal to be on the November patch. Both Google’s “early January” and “late January” patch timelines seem incredibly slow for a bug that could literally kill users.
I’ll take another wild guess and say that the Pixel 6 is an odd phone, as it’s a completely different SoC and modem (both from Samsung’s Exynos division, while every other Pixel uses Qualcomm). Making it into the Christmas shopping season didn’t give Google much wiggle room for launch delays. That doesn’t make it any less disappointing for a phone with the big selling point of day one updates, but hopefully this is a temporary issue.
I’m surprised that this is only a “high” severity (rather than “critical”) bug and that the rollout is taking one to two months. Delaying an ambulance could be fatal, so it would be nice if this all came faster, rather than how Google chooses to fix the problem.
— linuxct (@linuxct) December 11, 2021
If you’re waiting for a patch, or if you have one of the billions of Android devices that will never be patched, there is a way to see if your phone is currently full of duplicate PhoneAccounts. Mobile Security Analyst Linuxct has launched the incredible “PhoneAccount Abuse Detector”, an open source app that only lists all the phone accounts currently registered on your device. There’s no hard and fast rule here, but you should see about one phone account per VoIP app.
So far, we’ve only heard that Microsoft Teams caused this bug with duplicate phone accounts, but there’s no telling if other apps are making a similar error. If you see an app in this list generating tons of duplicate accounts, there’s a chance it won’t be able to connect you to emergency services. I recommend uninstalling the app, contacting the developer and letting the rest of us know on Twitter or something.