Google adds Android auto-reboot to block forensic data extractions

Google is rolling out a new security mechanism on Android devices that will automatically reboot locked, unused devices after three consecutive days of inactivity, restoring memory to an encrypted state.

Although the tech giant has not commented on the exact motives behind the addition of this feature, it is expected to make data extraction by advanced forensic tools harder by bringing devices into a non-exploitable state more often.

Auto-reboots after 3 days

The new auto-reboot feature was listed in the latest Google Play services update (v25.14), under ‘Security & Privacy.’

“With this feature, your device automatically restarts if locked for 3 consecutive days,” read the release notes.

In January 2024, the developers behind the privacy-centric GrapheneOS warned of firmware flaws in Android that digital forensic companies are leveraging to extract data without the user’s authorization.

When an Android phone is first started, it enters a Before First Unlock (BFU) state, where most user data remains encrypted and inaccessible until the device is unlocked for the first time. Once the user unlocks it with their PIN or biometrics, the device enters the After First Unlock (AFU) state, which decrypts the user’s data, making it accessible for data extraction or surveillance.

Devices seized or stolen are typically already in the AFU state, so even if the screen is locked, forensic tools can extract at least some user data from them.

To solve this, GrapheneOS for Android devices introduced an auto-reboot mechanism that restarted the system after 18 hours of inactivity, bringing the device back into the “Before First Unlock” (BFU) state. This made the data fully encrypted again and unable to be accessed by forensics companies.

Google has now introduced this same feature into Android, though the reboot isn’t set to an aggressive 18-hour interval as Graphene. Instead, the device is rebooted after 72 hours of inactivity, with no options to reduce the time.

However, this timeframe should still be good enough to block many attacks involving long-term physical access associated with forensic investigations.

To further strengthen physical security, it is recommended to turn off USB data transfer when the device is locked.

Amnesty International uncovered earlier this year that Cellebrite tools leveraged USB kernel driver flaws in Android to unlock locked devices that had been confiscated.

You can install the latest Google Play services update (v25.14) via the Google Play store. However, the update is rolling out gradually, so it may not be immediately available for everyone.

Important security updates for Android devices are also made available through Settings > Security & privacy > System & updates > Google Play system update.