X

Is It Safe to Use an Old or Used Phone? Here's What You Should Know

You can save lots of money by buying a used iPhone or Android phone. But is it safe? Here's what you need to know.

Andrew Lanxon Editor At Large, Lead Photographer, Europe
Andrew is CNET's go-to guy for product coverage and lead photographer for Europe. When not testing the latest phones, he can normally be found with his camera in hand, behind his drums or eating his stash of home-cooked food. Sometimes all at once.
Expertise Smartphones, Photography, iOS, Android, gaming, outdoor pursuits Credentials
  • Shortlisted for British Photography Awards 2022, Commended in Landscape Photographer of the Year 2022
Andrew Lanxon
6 min read
A picture of a Samsung phone displaying the eggplant emoji

Would you share pictures like this if you knew hackers could see everything on your phone?

Andrew Hoyle/CNET

With today's best phones like the iPhone 15 Pro Max and Samsung Galaxy S23 Ultra costing over $1,000, it's no surprise many of us are looking towards more affordable options. One of the most cost-effective ways to get a phone in your hands is to shop the used market. And why not? The hardware is usually more than capable of handling what you need it to, and it's more environmentally friendly to keep using phones for longer, rather than sending them to landfill.

The problem is that phones released several years ago might run outdated versions of Android or iOS, which means they often don't have critical security updates that can keep you -- and your data -- safe from prying eyes. Though the hardware itself is often fine to keep using, particularly if you don't crave the best cameras or fastest processors, the lack of security support means that older phones could be far less safe. If you're concerned about security and privacy -- and you should be -- here are some things to consider.

Read moreHere's What $650 Buys You in Used Phones on eBay

What is a security patch for a phone OS? 

Whenever hackers discover a new hole in your phone's software to exploit, phone-makers usually get it fixed, and that fix is sent out to your phone to make sure that nobody can take advantage of it. That's a security patch. You'll likely have received plenty of them over time as cybercriminals are always trying to find new ways to circumvent the security on your phone. It's a continual cycle of identifying threats, solving them, then finding the next one.

Most of the time, you'll never know about it, but it's the thing that's keeping your phone up to date and protected against known threats. 

Why do manufacturers stop sending out security patches?

Manufacturers such as Samsung, Sony, Google and OnePlus only provide support to a phone for so long. Each new handset that's released and each new version of Android requires new threat assessment and patching. That's a lot of work, and it means that finding and patching those holes for every single handset spanning years and years just becomes unfeasible. 

The back of an HTC M8 phone

The HTC One M8, released in 2014, is no longer officially supported and doesn't get security patches.

Andrew Hoyle/CNET

As a result, Google and the phone-makers eventually have to cut off support for older handsets, usually once a device gets to be two or three years old. Those handsets then will no longer receive security updates, meaning that when a threat is detected on that phone, it simply won't be fixed. 

So is using an out-of-date phone safe?

As Christoph Hebeisen, director of the security intelligence company Lookout, explained, "We do not consider it safe to run a device that does not receive security patches. Critical security vulnerabilities become public knowledge every few weeks, or months, and once a system is out of support, then users who continue to run it become susceptible to exploitation of known vulnerabilities."

According to Hebeisen, a vulnerable phone could allow full access to everything that's on your phone, including your personal and company emails, contact information, your banking details or audio of your phone calls. A hacker could continue to have access to this information for as long as you continue using the compromised handset.

Paul Ducklin, principal research scientist at security company Sophos, agrees. "If your phone has a software vulnerability that crooks already know how to exploit, for example to steal data or implant malware, then that vulnerability is going to be with you forever," he said.

Read more: Best Portable Chargers and Power Banks for Android Phones

A picture showing the software update page of a Samsung phone

Check to see if your phone has the latest software installed. 

Andrew Hoyle/CNET

How do I know if my phone is too old?

Finding out if your phone is still supported and receiving security patches often isn't straightforward. To start, go into Settings and check your software updates. Install the latest version that's available. Usually it'll give you some indication of when the phone was last updated. If your phone says it has the latest OS software, but that latest version was installed many months or even years ago, it's bad news. Your phone is probably no longer supported. 

Sadly, manufacturers don't give you a warning that tells you when they've dropped support for a phone, so you either find out through a rude awakening like I mentioned above, or figure it out yourself through some other means.

A good rule of thumb is that a phone will no longer be supported if it's two to three years old. This varies from company to company, however. Google's previous few Pixel phones typically got five years of software updates, but it made a big push to extend that with its latest Pixel 8 and 8 Pro, promising security updates for seven years. Companies like Fairphone take that even further, promising at least eight years of support. Apple, by comparison, still provides software updates for phones going back almost seven years, because it has relatively few models to manage. 

An image showing the last update of a Samsung phone

Despite having the latest software installed, this Galaxy S6's last security update was applied in 2018. That means that there are years of new exploits that this phone is susceptible to.

Andrew Hoyle/CNET

Finding out if your Android phone is supported will involve some digging. Samsung sent me its list after I contacted its PR team, and it's available online here, and while it makes it clear which phones are currently supported with updates, it doesn't say for how long those updates will continue. Google has a page that clearly tells you when your Pixel or Nexus phone will lose security support. (Spoiler alert: All Nexus phones and the first three generations of Pixel -- including 2018's Pixel 3 -- are all out of support.) Your best place to start is with the support pages on your phone manufacturer's website.

You might not notice immediately if your phone is out of date. The most obvious sign you're on old software might be when you look for new apps to download. Many apps will simply be incompatible due to the software and hardware limitations on your phone and you won't be able to install them. 

How can I tell if my phone has been hacked?

Whether you'd ever notice if your phone's security was compromised is difficult to say. Cybercriminals don't exactly make it known they've accessed your device, so you'll need to look for signs. Popups that might appear on the phone are a big giveaway, as are any apps that suddenly appear that you didn't download.

Look out for unexplained high data usage too, as it could be that malicious apps are using a lot of data in the background. Other indicators can also include unusually high battery usage and sluggish performance, but both of these can also be attributed to using older hardware that degrades over time. 

Read moreBest Android VPNs

How can I keep myself safe if I have an old phone? 

As Hebeisen says, the best way to keep yourself safe is simply to not use a phone that's no longer supported. If you're short on money, can't afford to upgrade just yet or you're using an older phone temporarily for whatever reason, there are a couple of things you can do that could help. 

An image showing the Android N logo on a Samsung phone

The Galaxy S6 was released in 2015, and is no longer officially supported by Samsung. 

Andrew Hoyle/CNET

First, you should make sure the phone has the latest software installed. If you bought it used, make sure to fully factory-reset the phone. Ensure that you only download apps from the Google Play Store (rather than from third-party or unofficial app stores) and certainly avoid installing apps by downloading the APK file from a website. This can often be a way that malicious software weasels its way into a phone.

You can help protect your personal information by simply not giving too much away in the first place. Don't do any banking on the phone, don't sync your company email accounts and don't send sexy pictures or have sexy video chats until you're back on a protected device. (Even over a phone, it's important to practice safe sex.) According to Hebeisen, if you don't take such precautions, "this might enable an attacker to observe and manipulate almost everything happening on the device." That's a cold shower, right there.