Android 17 and PIN Security: Brute-Force Attacks Just Hit a Wall

Android 17 Makes PIN Brute-Forcing Almost Useless
© A. Krivonosov

Android 17 has seriously tightened smartphone protection against brute-force attacks, where criminals or specialized tools automatically try different PIN codes. This scenario is not limited to thieves after a stolen device; in some cases, law-enforcement agencies also use similar methods when trying to unlock seized phones. Now there is far less room for guessing.

In Android 16, the system allowed 10 PIN attempts in the first minute, 20 in the first six minutes, 50 in 25 minutes, 110 in one day, and up to 1,800 attempts over five years. That long-term limit mattered most for brute-force tools: with enough time, they could test a noticeable share of common four-digit combinations.

In Android 17, the limits are much stricter. Only six attempts are available in the first minute, seven in six minutes, eight in 25 minutes, 12 in one day, and just 19 attempts over five years. After 20 wrong entries, the smartphone is fully locked. For automated guessing, that almost kills the attack scenario: the tool quickly hits the wall and can no longer keep trying.

Even a four-digit PIN has 10,000 possible combinations, but the new delays and the hard ceiling of 20 mistakes make brute-forcing practically pointless. Google is also handling normal user mistakes more carefully: starting with Android 16 QPR2, if someone enters the same wrong PIN several times in a row, the system does not count them as separate attempts. The lock screen now also shows clearer messages about remaining attempts and wait times.

Still, the new protection does not replace basic security habits. Weak PINs like 1234, 0000, or a birth year can still be guessed in the first few tries, while forced unlocking by face or fingerprint remains a separate risk. The takeaway is simple: after Android 17, a long and unpredictable PIN matters even more.