How long should you hold on to your phone before an upgrade? For smartphones, the answer is less a matter of physical age (except when a user wants certain new phone capabilities) and more about what kind of software the phone can run and whether the latest known vulnerabilities have been patched.
Mobile-device security resides in the software more so than it does in the hardware. This is because hardware changes more slowly and the kinds of attacks that have been the most prevalent in the last few years have focused on stealing money and credentials rather than exploiting hardware flaws according to senior security advisor at Sophos Canada, Chet Wisniewski.
Wisniewski also said that smartphone users tend to let their phones update their software automatically, when they can. This is particularly true for iPhones but issues can arise as your smartphone gets older, especially if it’s an Android device.
How long can you safely use an old iPhone?
Apple supports its smartphones for at least five years after a model is released though it can sometimes be longer. During that time, an iPhone will get the latest versions of iOS as well as the latest patches to known vulnerabilities. This is pretty generous considering the fact that most people get a new smartphone every two to three years.
For instance, if you’re using an iPhone 6 (released in September 2015) it might be difficult to upgrade to iOS 14. However, you would still be able to use iOS 13 which was released in 2019.
The oldest iPhone that iOS 15 can run on is the iPhone 6s from September 2015. While we were almost certain this device wouldn’t be able to run iOS 15, Apple surprised us by giving the aging device (along with the original iPhone SE) another year of life.
There still isn’t a lot of iOS malware available and your chances of getting infected are lower than on an Android smartphone, even with an iPhone that’s more than seven years old. However, it’s better to be safe than sorry, especially when Apple makes upgrading to the latest operating system so easy and convenient.
According to Apple’s own figures, as of January 2022, roughly 72 percent of iPhone users had upgraded to iOS 15 and were receiving periodic security updates (on devices less than five years old). It could be a case of Apple not wanting to reveal how many people are still safely using older iPhones.
How long can you safely use an old Android phone?
Gauging an Android phone's safe-use limits can be harder, as Android phones are not as standardized as iPhones.
A couple of years ago, an Android phone wouldn't get any more security updates if it was more than three years old, and that's provided it can even get all the updates before then. After three years, you were better off getting a new phone.
That's now changed. Google, Samsung and chipset maker Qualcomm in late 2020 and early 2021 all committed to providing four years of security updates for some devices.
For Qualcomm, it means that all phones with Qualcomm Snapdragon chipsets, beginning with the Snapdragon 888 that appeared on many 2021 flagships, will get four years of security updates and three Android version upgrades.
As for Samsung, it now guarantees four years of security updates for all Samsung Galaxy phones released in 2019 and later, beginning with the Galaxy 10 and Galaxy Note 10 series. This includes Galaxy phones that aren't using Qualcomm chipsets.
Overall, the product cycle on Android phones is less consistent than on iPhones. There are hundreds of smartphone makers that use (and alter) Android. It's still less than certain, for example whether an old handset will run the latest version of the OS two years after the phone's introduction.
Only Google's own Pixel devices are guaranteed to get the latest Android security updates on the day the updates are released, although the latest Samsung, OnePlus and Motorola devices are often not far behind. Google has a timeline of how long each Pixel device will get updates on its support site.
For example, the current version of Android, Android 12, released in October 2021, won't run on phones that have less than 2GB of RAM. Nor is Android 12 supported on the Google Pixel 3, which was released in October 2018.
However, the original Pixel, released with Android 7 Nougat in October 2016, did get Android 10 in September 2019, and its last official Android security updates in December of that year.
The Pixel 2, released in October 2017, got its last official update in December 2020, but it could be updated to Android 11. (Those who bought Google's Preferred Care service plan got updates until April 2021.) Pixel 2 owners who want to keep their phones alive should check out the Lineage OS project, which ports Android updates to older devices.
Samsung phones already get a bit extra
Samsung's own security-update chart shows the company already gives a longer period of support than Google does, even with pre-2019 models. You might get nearly four years of updates with Samsung's older flagships.
For example, the Samsung Galaxy S8, released in April 2017, is done with updates. But its Lite version, released a few months later, still gets biannual security updates as of March 2022. Both phones shipped with Android 7 Nougat and can be upgraded to Android 10.
The Samsung Galaxy S9 and S9+, released in March 2018, were on Samsung's quarterly-update track as of March 2022, although they go only up to Android 10 officially. They've likely got several more months of security updates, as phones often move to the biannual-update track before going completely out of support.
The oldest Samsung Galaxy phones to be on the monthly update cycle are the Galaxy 10 and Galaxy Note 10 series, both launched in the first half of 2019. Per Samsung's recent support statement, they should be good to use until the middle of 2023.
Another problem with Android devices is that older versions of the Android OS stick around for a lot longer than they should, as phone makers often ship second-tier or budget phones without the latest version of Android.
Because of this, many users start from behind and fall even further back as manufacturers, carriers and users themselves fail to implement system updates.
In February 2022, per Statista, Android 11 was running on 37% of Android devices, Android 10 had a 24% market share, and Android 9 Pie had an 12% share. However, the current Android 12 wasn't running on enough phones to register.
That's only about 60% of Android devices getting regular updates, at least in theory. Nonetheless, it's much better than what we saw in April 2017, when only a third of Android devices were running supported OS's.
This leaves as many as 40% of Android devices worldwide running older versions that no longer get security updates. Those phones, hundreds of millions of them, were and are inherently unsafe to use.
Google generally supports the two previous versions of Android along with the current version. So in March 2022, that meant Android versions 12, 11 and 10 were getting security updates when installed on Pixel phones and other phones whose makers supply those updates.
How long can you safely use an old 'dumb' cellphone?
One might actually be safer using a cellphone that predates smartphones, or a latter-day "feature" phone, instead of an out-of-date smartphone.
"I quite like the idea of carrying a 'dumb' phone from the late 1990s rather than a smartphone of today," said Graham Cluley, a security analyst who has worked in the field for more than 20 years.
"If all I want [the phone] to do is send text messages and make calls, chances are that it will not only have little fear of malware — it will also have a lot better battery life to boot."
An ancient Nokia candy-bar or flip phone, lacking a browser, would be safe from most internet-based attacks, since it would be effectively invisible to internet-connected devices. But that safety eliminates the ability to do anything on the internet as well.
Alas, those old phones aren't invulnerable, because old malware never really goes away.
"There is still code on old phones, and it may have been effectively abandoned and therefore unpatched," said Steve Santorelli, director of analysis and outreach for Lake Mary, Florida-based threat-intelligence firm Team Cymru. "We're still seeing newly discovered issues that have actually been around for many years, but only just discovered by researchers."
The reason the old dumb phones are less vulnerable is because they're no longer attractive targets, not because of any inherent superiority.
The right way to deal with aging phones
"The alternative, and arguably the better option," Santorelli said, "is to have a smartphone, but ensure it's fully patched with one of the best password managers, and a user with some awareness of threats and ways to guard against them. Two-factor authentication will also keep you out of trouble a lot of the time."
In that sense, Santorelli said, patches are crucial, even for third-party apps that aren't part of the operating system.
"Every mobile operating system and most applications will come out with patches all the time," he said. "Researchers find holes in software and developers fix them, hopefully, before too many hackers start to use them to compromise your system."
So update those apps every time the Google Play or iOS app stores tell you to. Accept the upgrades to the latest operating-system versions when they arrive. Install and use one of the best Android antivirus apps on your Android device. (Sorry, but that doesn't exist for iOS.)
And if your smartphone no longer gets OS updates or security patches, then it's time to move on. Here's the safest way to get rid of an old smartphone.
Updated with new operating-system versions, phone models and statistics. This story was first published in April 2017.
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.