How long should you hold on to your phone?
For smartphones, the answer is less a matter of physical age (except insofar as the user wants certain phone capabilities) and more about what kind of software the phone can run and whether that software has the latest known vulnerabilities patched. In that respect, iPhones and Android phones differ greatly.
Mobile-device security resides in the software more than it does in the hardware. That's because hardware changes somewhat more slowly, and also because the kinds of attacks invented in the past several years focus on stealing money rather than exploiting hardware, said Chester Wisniewski, a senior security advisor at Sophos Canada in Vancouver.
Smartphone users, Wisniewski said, tend to let their phones update software automatically, when they can. That's particularly true for iPhones. But issues arise as your smartphone gets older, especially if it's an Android device.
How long can you safely use an old iPhone?
Apple supports its smartphones for about five years after a model is released, giving the devices the latest versions of iOS and the latest patches to known vulnerabilities. That's pretty generous considering that most people get a new smartphone every two or three years.
For example, if you are using an iPhone 4s, released in October 2011, it might be difficult to upgrade to iOS 10, released in September 2016. But you would be able to use iOS 9, released in September 2015.
The oldest iPhone that iOS 10 can run on is the iPhone 5, from September 2012. However, you can put money on the likelihood that the iPhone 5 won't be able to run iOS 11.
There isn't a lot of iOS malware out there, so your chances of getting infected are slim, even if you do use an iPhone that's more than five years old. But it's better to be safe than sorry, especially when Apple makes upgrading the operating system so easy and convenient.
As of late February 2017, according to Apple's own figures, roughly 79 percent of iDevice users had upgraded to iOS 10 and were receiving periodic security updates — even on devices nearly five years old. Make sure you join the club.
How long can you safely use an old Android phone?
Gauging an Android phone's safe-use limits can be harder, as Android phones are not as standardized as iPhones. But in general, an Android phone won't get any more security updates if it's more than three years old, and that's provided it can even get all the updates before then. After three years, you're better off getting a new phone.
The product cycle on Android phones is less consistent than on iPhones. There are hundreds of smartphone makers that use (and alter) Android. It's less than certain, for example whether an old Samsung handset will run the latest version of the OS two years after the phone's introduction.
Only Google's own Pixel devices are guaranteed to get the latest Android security updates in a timely manner, although the latest Samsung and Motorola devices are often not far behind.
For example, the current version of Android, Android 7 Nougat, released in August 2016, is not designed for compatibility with phones that use Qualcomm's Snapdragon 801/800 chipset, which includes many of the big-name handsets made in the last few years.
That 2013 Samsung Galaxy S4 won't run Nougat, but neither will the Samsung Galaxy S5, LG G3 or OnePlus One, all flagship models released in the spring of 2014. However, the latter three can be upgraded to Android 6 Marshmallow (from fall 2015), and if so, some of these devices may even get security patches until the fall of 2017.
Google's own Nexus 6 phone, released in the fall of 2014, can be upgraded to the latest version of Nougat (7.1.1) and will receive over-the-air security patches until the fall of 2017. But it won't be compatible with the upcoming Nougat 7.1.2.
Another problem is that older versions of the Android OS stick around for a lot longer than they should, as phone makers often fail to put the current version on second-tier or budget phones. As a result, many users start from behind and fall even further back as manufacturers, carriers and users themselves fail to implement system updates.
In late March 2017, per Google's own figures, Nougat was running on 3 percent of Android devices and Marshmallow had a 31 percent market share. But the other two-thirds of Android devices worldwide were running older versions that were no longer getting security updates. Those phones, hundreds of millions of them, were and are inherently unsafe to use.
How long can you safely use an old 'dumb' cellphone?
One might actually be safer using a cellphone that predates smartphones, instead of an out-of-date smartphone.
"I quite like the idea of carrying a 'dumb' phone from the late 1990s rather than a smartphone of today," said Graham Cluley, a security analyst who has worked in the field for more than 20 years. "If all I want [the phone] to do is send text messages and make calls, chances are that it will not only have little fear of malware — it will also have a lot better battery life to boot."
An ancient Nokia candy-bar or flip phone, lacking a browser, would be safe from most internet-based attacks, since it would be effectively invisible to internet-connected devices. But that safety eliminates the ability to do anything on the internet as well.
Alas, those old phones aren't invulnerable, because old malware never really goes away.
"There is still code on old phones, and it may have been effectively abandoned and therefore unpatched," said Steve Santorelli, director of analysis and outreach for Lake Mary, Florida-based threat-intelligence firm Team Cymru. "We're still seeing newly discovered issues that have actually been around for many years, but only just discovered by researchers."
The reason the old dumb phones are less vulnerable is because they're no longer attractive targets, not because of any inherent superiority.
The right way to deal with aging phones
"The alternative, and arguably the better option," Santorelli said, "is to have a smartphone, but ensure it's fully patched with one of the best password managers, and a user with some awareness of threats and ways to guard against them. Two-factor authentication will also keep you out of trouble a lot of the time."
In that sense, Santorelli said, patches are crucial, even for third-party apps that aren't part of the operating system.
"Every mobile operating system and most applications will come out with patches all the time," he said. "Researchers find holes in software and developers fix them, hopefully, before too many hackers start to use them to compromise your system."
So update those apps every time the Google Play or iOS app stores tell you to. Accept the upgrades to the latest operating-system versions when they arrive. Install and use mobile antivirus software on your Android device. (Sorry, but that doesn't exist for iOS.)
And if your smartphone no longer gets OS updates or security patches, then it's time to move on.