How long should you hold on to your phone before an upgrade? For smartphones, the answer is less a matter of physical age (except when a user wants certain new phone capabilities) and more about what kind of software the phone can run and whether the latest known vulnerabilities have been patched.
Mobile-device security resides in the software more so than it does in the hardware. This is because hardware changes more slowly and the kinds of attacks that have been the most prevalent in the last few years have focused on stealing money and credentials rather than exploiting hardware flaws according to senior security advisor at Sophos Canada, Chet Wisniewski.
Wisniewski also said that smartphone users tend to let their phones update their software automatically, when they can. This is particularly true for iPhones but issues can arise as your smartphone gets older, especially if it’s an Android device.
How long can you safely use an old iPhone?
Apple supports its smartphones for at least five years, sometimes longer, after a model is released, giving the devices the latest versions of iOS and the latest patches to known vulnerabilities. That's pretty generous considering that most people get a new smartphone every two or three years.
For example, if you are using an iPhone 6, released in September 2015, it might be difficult to upgrade to iOS 14, released in September 2020. But you would be able to use iOS 13, released in September 2019.
The oldest iPhone that iOS 14 (and iOS 15) can run on is the iPhone 6s, from September 2015. We would have put money on a bet that the iPhone 6s wouldn't be able to run iOS 15, but Apple surprised us by giving the six-year-old phone (and the original iPhone SE) another year of life in September 2021.
There still isn't a lot of iOS malware out there, so your chances of getting infected are slim, even if you do use an iPhone that's more than six or seven years old. But it's better to be safe than sorry, especially when Apple makes upgrading the operating system so easy and convenient.
As of January 2022, according to Apple's own figures (opens in new tab), roughly 72% of iPhone users had upgraded to iOS 15 and were receiving periodic security updates — but that was only on devices less than five years old. Perhaps Apple doesn't want to reveal how many people are still safely using iPhones that are even older.
How long can you safely use an old Android phone?
Gauging an Android phone's safe-use limits can be harder, as Android phones are not as standardized as iPhones.
A couple of years ago, an Android phone wouldn't get any more security updates if it was more than three years old, and that's provided it can even get all the updates before then. After three years, you were better off getting a new phone.
That's now changed. Google, Samsung and chipset maker Qualcomm in late 2020 and early 2021 all committed to providing four years of security updates for some devices.
For Qualcomm, it means that all phones with Qualcomm Snapdragon chipsets, beginning with the Snapdragon 888 that appeared on many 2021 flagships, will get four years of security updates and three Android version upgrades.
As for Samsung, it now guarantees four years of security updates for all Samsung Galaxy phones released in 2019 and later, beginning with the Galaxy 10 and Galaxy Note 10 series. This includes Galaxy phones that aren't using Qualcomm chipsets.
Overall, the product cycle on Android phones is less consistent than on iPhones. There are hundreds of smartphone makers that use (and alter) Android. It's still less than certain, for example whether an old handset will run the latest version of the OS two years after the phone's introduction.
Only Google's own Pixel devices are guaranteed to get the latest Android security updates on the day the updates are released, although the latest Samsung, OnePlus and Motorola devices are often not far behind. Google has a timeline of how long each Pixel device will get updates (opens in new tab) on its support site.
For example, the current version of Android, Android 12, released in October 2021, won't run on phones that have less than 2GB of RAM. Nor is Android 12 supported on the Google Pixel 3, which was released in October 2018.
However, the original Pixel, released with Android 7 Nougat in October 2016, did get Android 10 in September 2019, and its last official Android security updates in December of that year.
The Pixel 2, released in October 2017, got its last official update in December 2020, but it could be updated to Android 11. (Those who bought Google's Preferred Care service plan got updates until April 2021.) Pixel 2 owners who want to keep their phones alive should check out the Lineage OS (opens in new tab) project, which ports Android updates to older devices.
Samsung phones already get a bit extra
Samsung's own security-update chart (opens in new tab) shows the company already gives a longer period of support than Google does, even with pre-2019 models. You might get nearly four years of updates with Samsung's older flagships.
For example, the Samsung Galaxy S8, released in April 2017, is done with updates. But its Lite version, released a few months later, still gets biannual security updates as of March 2022. Both phones shipped with Android 7 Nougat and can be upgraded to Android 10.
The Samsung Galaxy S9 and S9+, released in March 2018, were on Samsung's quarterly-update track as of March 2022, although they go only up to Android 10 officially. They've likely got several more months of security updates, as phones often move to the biannual-update track before going completely out of support.
The oldest Samsung Galaxy phones to be on the monthly update cycle are the Galaxy 10 and Galaxy Note 10 series, both launched in the first half of 2019. Per Samsung's recent support statement, they should be good to use until the middle of 2023.
Another problem with Android devices is that older versions of the Android OS stick around for a lot longer than they should, as phone makers often ship second-tier or budget phones without the latest version of Android.
Because of this, many users start from behind and fall even further back as manufacturers, carriers and users themselves fail to implement system updates.
In February 2022, per Statista (opens in new tab), Android 11 was running on 37% of Android devices, Android 10 had a 24% market share, and Android 9 Pie had an 12% share. However, the current Android 12 wasn't running on enough phones to register.
That's only about 60% of Android devices getting regular updates, at least in theory. Nonetheless, it's much better than what we saw in April 2017, when only a third of Android devices were running supported OS's.
This leaves as many as 40% of Android devices worldwide running older versions that no longer get security updates. Those phones, hundreds of millions of them, were and are inherently unsafe to use.
Google generally supports the two previous versions of Android along with the current version. So in March 2022, that meant Android versions 12, 11 and 10 were getting security updates when installed on Pixel phones and other phones whose makers supply those updates.
How long can you safely use an old 'dumb' cellphone?
One might actually be safer using a cellphone that predates smartphones, or a latter-day "feature" phone, instead of an out-of-date smartphone.
"I quite like the idea of carrying a 'dumb' phone from the late 1990s rather than a smartphone of today," said Graham Cluley, a security analyst who has worked in the field for more than 20 years.
"If all I want [the phone] to do is send text messages and make calls, chances are that it will not only have little fear of malware — it will also have a lot better battery life to boot."
An ancient Nokia candy-bar or flip phone, lacking a browser, would be safe from most internet-based attacks, since it would be effectively invisible to internet-connected devices. But that safety eliminates the ability to do anything on the internet as well.
Alas, those old phones aren't invulnerable, because old malware never really goes away.
"There is still code on old phones, and it may have been effectively abandoned and therefore unpatched," said Steve Santorelli, director of analysis and outreach for Lake Mary, Florida-based threat-intelligence firm Team Cymru. "We're still seeing newly discovered issues that have actually been around for many years, but only just discovered by researchers."
The reason the old dumb phones are less vulnerable is because they're no longer attractive targets, not because of any inherent superiority.
The right way to deal with aging phones
"The alternative, and arguably the better option," Santorelli said, "is to have a smartphone, but ensure it's fully patched with one of the best password managers, and a user with some awareness of threats and ways to guard against them. Two-factor authentication will also keep you out of trouble a lot of the time."
In that sense, Santorelli said, patches are crucial, even for third-party apps that aren't part of the operating system.
"Every mobile operating system and most applications will come out with patches all the time," he said. "Researchers find holes in software and developers fix them, hopefully, before too many hackers start to use them to compromise your system."
So update those apps every time the Google Play or iOS app stores tell you to. Accept the upgrades to the latest operating-system versions when they arrive. Install and use one of the best Android antivirus apps on your Android device. (Sorry, but that doesn't exist for iOS.)
And if your smartphone no longer gets OS updates or security patches, then it's time to move on. Here's the safest way to get rid of an old smartphone.
Updated with new operating-system versions, phone models and statistics. This story was first published in April 2017.