Android’s January security patch is out, and it’s addressing one of the nastiest Android bugs to come up in some time: certain apps can stop you from contacting 911 or other worldwide emergency services numbers.
In early December, a harrowing tale popped up in the GooglePixel subreddit from a user whose Pixel 3 crashed when they needed it most: while dialing 911 for their grandmother who “appeared to be having a stroke.” The whole phone subsystem seemed to immediately crash upon calling emergency services, with user “KitchenPicture5849” saying they couldn’t get the call to connect or hang up to try the call again. Luckily, a nearby landline was available after their Android phone let them down, and emergency services was able to be contacted.
After the crisis was over, the user gave calling 911 from their smartphone another shot, and Android crashed again, indicating it wasn’t a one-off bug. A check of their phone bill also revealed that KitchenPicture5849 never actually connected to 911. They say they also got a few other DMs from users reporting that they were experiencing the same bug.
Google contacted the user and publicly responded to the post on December 8:
Based on our investigation we have been able to reproduce the issue under a limited set of circumstances. We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently only aware of one user report related to the occurrence of this bug. We determined that the issue was being caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system. Microsoft has collaborated closely with Google to resolve this unintended interaction.
Google said that Microsoft would be pushing an app update out ASAP and that users should check for an update in the Play Store. The company also mentioned that an OS-level patch would be out a full month later, in early January (that’s today). Then Google provided no further comments on the issue.
Why apps can break 911
Hold up. Microsoft Teams broke 911? Random Android apps can break the emergency services functionality? How? Why can third-party apps come within a thousand feet of such a critical function? Do any other apps break 911, or just Microsoft Teams? While Teams got fixed, was it really OK to let Android users hang out with this OS-level bug for a month, especially when we have no idea if other apps are doing it? Android being Android, many phones will never get patched anyway. How can users know emergency services will work? Other than saying to wait a month for a fix, Google wasn’t providing any answers.
Luckily, some very smart people in the Android community could provide the answers Google wouldn’t share. Mishaal Rahman, the Senior Technical Editor for Esper, wrote an incredible Medium post detailing how the bug works and why it happens. Apps on Android with phone call functionality can register a “PhoneAccount” with the system indicating they have some capability of placing calls. There are a few flags apps can set with PhoneAccount, including one called “CAPABILITY_PLACE_EMERGENCY_CALLS.” When the time comes to call to 911, Android sorts the list of PhoneAccounts that have been registered and picks one. This all seems fine so far.
One of the several bugs identified in Rahman’s post is that Microsoft Teams will register an additional PhoneAccount with the system every time Teams starts up, provided you aren’t logged in. Note that this isn’t the rare occurrence of installing Microsoft Teams and then never using it—a common complaint of the Teams Android app is that it frequently logs users out automatically. If you’re logged out, launching Microsoft Teams 10 times will result in 10 duplicate PhoneAccounts from Teams clogging your phone. Teams shouldn’t do this, and Microsoft’s update stopped Teams from doing this, but a bunch of duplicate PhoneAccounts also shouldn’t be enough to bring Android’s phone system to its knees.
Next bug: when picking a PhoneAccount to run the emergency call through, Android goes through a complicated sorting process to figure out which account to use. The last step in this sort process, the tiebreaker, is sorting by hashcode. The hashcode comparison just subtracts one hashcode from the other. But just like that stupid Y2K22 Microsoft Exchange bug from the other day, it’s possible for this to result in an integer overflow or underflow, and now the phone subsystem is going to crash. Google’s code is buggy, but since it’s the last sorting tiebreaker after trying more obvious things like the package name, it should only get invoked in the very specific instance of an app spawning duplicate PhoneAccounts. So thanks, Microsoft!
Google’s fix for this bug is here, titled “Fix the integer overflow/underflow caused by sorting of duplicate phone accounts during emergency call attempt.” Instead of subtracting one hashcode from another and potentially running into a really big or really small number that crashes the system, Google now runs the two numbers through the java function “Integer.compare.” This only returns -1, 0, or 1, indicating a smaller, identical, or bigger compare result.
If you’re like me at first and wondering why Android is sorting through phone accounts at all rather than just using the default account on the SIM card, I’ll take a wild guess and say this was an attempt at making 911 work no matter what. Just in case the main account doesn’t work, Android wants a list of every possible phone account it can try, and it wants to do that automatically, to connect to 911 by any means necessary. This sorting system only exists for contacting emergency services, which is why regular phone calls still work for the affected users.
A third bug in this mess is that Microsoft Teams does not even register itself as an emergency call handler. Teams made a million PhoneAccounts, and it did not use the flag “CAPABILITY_PLACE_EMERGENCY_CALLS,” but it still broke 911. Google’s sort process starts with querying all phone accounts when a better first step would be to start with all emergency call-capable phone accounts. Google is taking an even more drastic solution to this last bug and culling every “self-managed” phone account from the system’s 911 procedure. “Self-managed” Android phone accounts, like Microsoft Teams, get more direct access to the Android telephony stack and can roll their own features. The Android emergency call system will now only consider simpler telephony providers that plug into the default phone app, like your carrier account. All those other VoIP apps can still probably be used to contact 911 on their own (many countries require 911 functionality by law). But if you open the default dialer and hit “911,” Android is only going to pick from standardized, system-managed phone accounts.
Who’s getting patched, and how you can check for the 911 bug
Rahman says Google’s bug for this is CVE-2021-39659, which the monthly security bulletin categorizes as a high-severity “denial of service” vulnerability with patches for devices running Android 10, 11, and 12. In the Android codebase, Google is actually backporting this fix all the way to Android 8.0, which technically isn’t supported anymore. This is mostly purely theoretical since zero manufacturers are actually pushing security updates to devices this old. But the code is there if anyone wants it.
Android’s telephony stack is not (yet?) an easily updatable Project Mainline module, so the only way you’re getting a fix is via the Android January 2022 monthly security update. Samsung should be updating every phone on this list starting this week, while Google is pushing out fixes for the Pixel 3a, 4, 4a, 5, and 5a. Update: There is also an emergency call update coming for the end-of-life Pixel 3.
An update is not arriving for the Pixel 6 yet. Google’s newest flagship is going though a bit of an update crisis at the moment. The December 2021 update was pulled due to unrelated “mobile connectivity issues” (phone calls don’t work). While Google scrambles to fix everything, the next Pixel 6 update with this 911 fix is due in “late January.” Until then, it’s normal to be on the November patch. Both of Google’s “early January” and “late January” patch timelines seem incredibly slow for a bug that could cause users to literally die.
I’ll take another wild guess and say the Pixel 6 is the odd phone out because it’s a totally different SoC and modem (both from Samsung’s Exynos division, while every other Pixel uses Qualcomm). Making the holiday shopping season didn’t give Google much wiggle room for launch delays. That doesn’t make it any less disappointing for a phone with the big selling point of day-one updates, but hopefully, this is a temporary problem.
I’m amazed that this is only a “high” severity bug (instead of “critical”) and that the roll-out is taking one-to-two months. Delaying an ambulance could be fatal, so it would be nice if all of this arrived faster, instead of how Google is choosing to deal with the issue.
— linuxct (@linuxct) December 11, 2021
If you’re waiting for a patch, or if you have one of the billions of Android devices that won’t ever get patched, there is a way to see if your phone is currently overflowing with duplicate PhoneAccounts. Mobile security analyst Linuxct whipped up the incredible “PhoneAccount Abuse Detector,” an open-source app that will just list every phone account currently registered on your device. There’s no hard rule here, but you should be seeing about one Phone Account per VoIP app.
So far, we’ve only heard of Microsoft Teams triggering this bug with duplicate phone accounts, but there’s no telling if any other apps are making a similar mistake. If you see an app on this list generating tons of duplicate accounts, there’s a chance it will stop you from connecting with emergency services. I recommend uninstalling the app, contacting the developer, and letting the rest of us know on Twitter or something.