The January security patch for Android is now available, and it fixes one of the most vexing Android vulnerabilities in recent memory: some apps can prevent you from calling 911 or other international emergency services numbers.
A user’s Pixel 3 crashed while contacting 911 for their grandma who “looked to be having a stroke” in early December, according to a distressing story on the GooglePixel subreddit. When contacting 911, the entire phone system appeared to crash, with user “KitchenPicture5849” reporting that they couldn’t get the call to connect or hang up to try again. Fortunately, a neighboring landline was accessible after their Android phone died, and they were able to notify emergency personnel.
After the emergency was finished, the user tried again to dial 911 from their smartphone, and Android crashed, demonstrating that it wasn’t a one-time issue. KitchenPicture5849 was never truly connected to 911, according to their phone bill. They also claim to have received a couple other DMs from people who were suffering the same issue.
Google stated that Microsoft would be releasing an app update as soon as possible, and that users should check the Play Store for it. A month later, in early January (today), the business announced that an OS-level fix would be available. After that, Google remained silent on the subject.
Microsoft Teams will register an additional PhoneAccount with the system every time Teams starts up, if you aren’t logged in, according to one of the flaws found in Rahman’s post. It’s worth noting that this isn’t the first time you’ve installed Microsoft Teams only to never use it; a typical complaint about the Teams Android app is that it logs users out automatically. If you’re logged out, running Microsoft Teams 10 times will cause your phone to become clogged with 10 duplicate PhoneAccounts from Teams. Teams shouldn’t do this, and Microsoft’s update made it impossible for them to do so, but a slew of identical PhoneAccounts shouldn’t be enough to bring Android’s phone system to a halt.
The next fault is that when selecting a PhoneAccount to use for the emergency call, Android goes through a lengthy sorting process to determine which account to utilise. Sorting by hashcode is the final stage in this sort process, and it acts as a tiebreaker. When two hashcodes are compared, one is subtracted from the other. However, similarly like the Y2K22 Microsoft Exchange flaw from a few days ago, this might result in an integer overflow or underflow, causing the phone subsystem to fail. Google’s code is problematic, but since it’s the final tiebreaker after trying more obvious things like the package name, it should only be used in the extremely rare case of an app producing duplicate PhoneAccounts.
“Update the integer overflow/underflow caused by sorting of multiple phone accounts during emergency call attempt,” according to Google’s fix. Rather than subtracting one hashcode from another and risking a system crash, Google now compares the two integers using the java function “Integer.compare.” Only -1, 0 or 1 are returned, indicating a smaller, identical, or larger comparative result.If you’re like me and haven’t figured out why Android is sorting through phone accounts instead of just utilising the default account on the SIM card, I’ll venture a guess that it’s an attempt to make 911 function no matter what.
Microsoft Teams does not even register as an emergency call handler, which is a third flaw in this mess. Teams created a million PhoneAccounts without using the “CAPABILITY PLACE EMERGENCY CALLS” flag, but 911 was still broken. Google’s sorting procedure begins by querying all phone accounts, while a preferable initial step would be to query those phone accounts that can make emergency calls. Google is taking an even more extreme approach to this final problem, removing all “self-managed” phone accounts from the system’s 911 system. “Self-managed” Android phone accounts, such as Microsoft Teams, have more direct access to the Android telephony stack and are able to roll their own features.
