For smartphones, the answer is less a matter of physical age (except insofar as the user wants certain phone capabilities) and more about what kind of software the phone can run and whether that software has the latest known vulnerabilities patched.
In that respect, iPhones and Android phones differ greatly, although the gap between the two is narrowing.
Mobile-device security resides in the software more than it does in the hardware. That’s because hardware changes somewhat more slowly, and also because the kinds of attacks most prevalent in the past several years have focused on stealing money rather than exploiting hardware, said Chet Wisniewski, a senior security advisor at Sophos Canada in Vancouver.
Smartphone users, Wisniewski said, tend to let their phones update software automatically, when the phones can. That’s particularly true for iPhones. But issues arise as your smartphone gets older, especially if it’s an Android device.
Apple supports its smartphones for about five years after a model is released, giving the devices the latest versions of iOS and the latest patches to known vulnerabilities. That’s pretty generous considering that most people get a new smartphone every two or three years.
For example, if you are using an iPhone 6, released in September 2014, it might be difficult to upgrade to iOS 14, released in September 2020. But you would be able to use iOS 13, released in September 2019.
The oldest iPhone that iOS 14 can run on is the iPhone 6s, from September 2015. However, you can put money on the likelihood that the iPhone 6s won’t be able to run iOS 15.
There still isn’t a lot of iOS malware out there, so your chances of getting infected are slim, even if you do use an iPhone that’s more than five years old. But it’s better to be safe than sorry, especially when Apple makes upgrading the operating system so easy and convenient.
As of May 2021, according to Apple’s own figures, roughly 80% of iPhone users had upgraded to iOS 14 and were receiving periodic security updates — even on devices nearly five years old. Make sure you join the club.
Gauging an Android phone’s safe-use limits can be harder, as Android phones are not as standardized as iPhones.
Generally, an older Android phone won’t get any more security updates if it’s more than three years old, and that’s provided it can even get all the updates before then. After three years, you’re better off getting a new phone.
That’s going to change with some of the newest models. Google, Samsung and chipset maker Qualcomm in late 2020 and early 2021 all committed to providing four years of security updates for some devices.
For Qualcomm and Google, it means that all phones with Qualcomm Snapdragon chipsets, beginning with the Snapdragon 888 that’s appearing on many 2021 flagships, will get four years of security updates and three Android version upgrades.
As for Samsung, it now guarantees four years of security updates for all Samsung Galaxy phones released in 2019 and later, beginning with the Galaxy 10 and Galaxy Note 10 series. This includes Galaxy phones that aren’t using Qualcomm chipsets.
Overall, the product cycle on Android phones is less consistent than on iPhones. There are hundreds of smartphone makers that use (and alter) Android. It’s still less than certain, for example whether an old handset will run the latest version of the OS two years after the phone’s introduction.
Only Google’s own Pixel devices are guaranteed to get the latest Android security updates on the day the updates are released, although the latest Samsung, OnePlus and Motorola devices are often not far behind. Google has a timeline of how long each Pixel device will get updates on its support site.
For example, the current version of Android, Android 11, released in September 2020, won’t run on phones that have less than 2GB of RAM. Nor is Android 11 supported on a first-generation Google Pixel, released in September 2016.
However, the original Pixel did get Android 10 in September 2019, and its last official Android security updates in December of that year.
The Pixel 2, released in October 2017, got its last official update in December 2020, but it can be updated to Android 11. (Those who bought Google’s Preferred Care service plan got updates until April 2021.) Pixel 2 owners who want to keep their phones alive should check out the Lineage OS project, which ports Android updates to older devices.
The most recent Pixel models, the Pixel 4a 5G and Pixel 5, shipped with Android 11 pre-installed in the fall of 2020. You can expect them to get Android 12 and 13 and to keep going until at least the fall of 2023. (As they don’t have Snapdragon 888 chipsets, they won’t get the fourth year.)
Samsung’s own security-update chart shows the company already gives a longer period of support than Google does, even with pre-2019 models. You might get nearly four years of updates with Samsung’s older flagships.
For example, the Samsung Galaxy S8, released in April 2017, is done with updates. But its Lite and Active versions, released a few months later, still got biannual and quarterly security updates, respectively, as of May 2021. All three phones shipped with Android 7 Nougat and can be upgraded to Android 9 Pie.
The Samsung Galaxy S9 and S9+, released in March 2018, were on Samsung’s quarterly-update track as of May 2021. They’ve likely got several more months of updates, as phones often move to the biannual-update track before going completely out of support.
The oldest Samsung Galaxy phones to be on the monthly update cycle are the Galaxy 10 and Galaxy Note 10 series, both launched in the first half of 2019. Per Samsung’s recent support statement, they should be good to use until the middle of 2023.
Another problem with Android devices is that older versions of the Android OS stick around for a lot longer than they should, as phone makers often ship second-tier or budget phones without the latest version of Android.
Because of this, many users start from behind and fall even further back as manufacturers, carriers and users themselves fail to implement system updates.
In April 2021, per Statista, Android 11 was running on 12.5% of Android devices, Android 10 had a 37% market share, and Android 9 Pie had an 18% share. That’s two-thirds of devices getting regular updates, at least in theory, and is much better than better than what we saw in April 2017, when only a third of devices were running supported OS’s.
Nevertheless, that still leaves one-third of Android devices worldwide running older versions that no longer get security updates. Those phones, hundreds of millions of them, were and are inherently unsafe to use.
Google generally supports the two previous versions of Android along with the current version. So in May 2021, that meant Android versions 11, 10 and 9 were getting security updates when installed on Pixel phones and other phones whose makers supply those updates.
Android 12 was released in beta in mid-May 2021, and Google plans to officially retire Android 9 in the fall of 2021.
One might actually be safer using a cellphone that predates smartphones, or a latter-day “feature” phone, instead of an out-of-date smartphone.
“I quite like the idea of carrying a ‘dumb’ phone from the late 1990s rather than a smartphone of today,” said Graham Cluley, a security analyst who has worked in the field for more than 20 years.
“If all I want [the phone] to do is send text messages and make calls, chances are that it will not only have little fear of malware — it will also have a lot better battery life to boot.”
An ancient Nokia candy-bar or flip phone, lacking a browser, would be safe from most internet-based attacks, since it would be effectively invisible to internet-connected devices. But that safety eliminates the ability to do anything on the internet as well.
Alas, those old phones aren’t invulnerable, because old malware never really goes away.
“There is still code on old phones, and it may have been effectively abandoned and therefore unpatched,” said Steve Santorelli, director of analysis and outreach for Lake Mary, Florida-based threat-intelligence firm Team Cymru. “We’re still seeing newly discovered issues that have actually been around for many years, but only just discovered by researchers.”
The reason the old dumb phones are less vulnerable is because they’re no longer attractive targets, not because of any inherent superiority.
“The alternative, and arguably the better option,” Santorelli said, “is to have a smartphone, but ensure it’s fully patched with one of the best password managers, and a user with some awareness of threats and ways to guard against them. Two-factor authentication will also keep you out of trouble a lot of the time.”
In that sense, Santorelli said, patches are crucial, even for third-party apps that aren’t part of the operating system.
“Every mobile operating system and most applications will come out with patches all the time,” he said. “Researchers find holes in software and developers fix them, hopefully, before too many hackers start to use them to compromise your system.”
So update those apps every time the Google Play or iOS app stores tell you to. Accept the upgrades to the latest operating-system versions when they arrive. Install and use one of the best Android antivirus apps on your Android device. (Sorry, but that doesn’t exist for iOS.)
And if your smartphone no longer gets OS updates or security patches, then it’s time to move on.