Google is quietly rolling out a major security update for all supported Android versions in a new Google Services update. As is the case now with iPhones and other Apple devices, inactive Android devices will now automatically reboot after three days and enter a more secure state.
“With this feature, your device automatically restarts if locked for 3 consecutive days,” the Google Support website explains. “Google System updates make your Android devices more secure and reliable, and give you new and useful features. They include updates from Google to the Android operating system, Google Play Store, and Google Play services.”
Windows Intelligence In Your Inbox
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott’s Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
“*” indicates required fields
There’s a lot more to this update–Google Play services 25.4, which Google issued yesterday and is now rolling out over time–for example, content previews in Quick Share, UIs updates, Phone and Wallet updates, and so on. And this is Android, so these updates can impact phones and tablets, of course, but also Auto, TV, and Wear. But the rebooting features is particularly notable, as is its categorization under a security and privacy heading.
Originally expected to be an Android 16 feature, this change means that all supported Android devices will be put in what’s called a Before First Unlock (BFU) state after three days of inactivity, that annoying (to users) state in which you can no longer use biometrics to unlock it. Apple bogs down its devices with a similar requirement on what feels like a random schedule. And in iOS 18.1, it added a similar feature that automatically reboots devices after a period of inactivity, forcing this state on users.
This type of thing has always confused me. On Windows, biometric logins are the most secure option and there’s never a case–barring a biometric login failure–in which you’re forced to go back to a PIN or password. But Android and Apple’s device OSes all do this regularly, for some reason. (Some Android facial sign-in technologies are considered less secure, so perhaps it makes sense in those instances.) And now Android will do so in another instance, which … is fine. Three days of in activity is a long time. But it’s unclear why BFU requires a PIN when biometrics are available, with no way for the user to override this configuration.
