Live: The Best Black Friday deals PS5 restock tracker Black Friday sales you can't miss New COVID variant found in South Africa Xbox Game Pass Ultimate The Beatles: Get Back documentary

Is it safe to keep using an old or pre-owned Android phone?

Your security and privacy might be at risk if your Android phone is too old for the latest software. Here's how to find out if your phone runs the latest updates.


Would you share pictures like this if you knew hackers could see everything on your phone?

Andrew Hoyle/CNET

With brand new, top-end phones like the iPhone 13 Pro or Samsung Galaxy S21 Ultra costing over $1,000, it's tempting to pick up an older or a used phone on the cheap. But while you can grab a pre-owned Samsung Galaxy, Sony or HTC phone that seems decent for the price, is it safe to use them? 

It's both cost-effective and more environmentally friendly to keep using phones for longer. The problem is that phones released years ago run outdated versions of Android, which means they often don't have critical security updates that can keep you -- and your data -- safe from prying eyes. Though the hardware itself may be fine to keep using, the lack of security support means that older phones could be far less safe. If you're concerned about security and privacy, here are some things to consider.

Read moreHere's what $650 buys you in used phones on eBay

What is a security patch for a phone OS? 

Whenever hackers discover a new hole in your phone's software to exploit, phone-makers usually get it fixed, and that fix is sent out to your phone to make sure that nobody can take advantage of it. That's a security patch. You'll likely have received plenty of them over time as cybercriminals are always trying to find new ways to circumvent the security on your phone. It's a continual cycle of identifying threats, solving them, then finding the next one.

Most of the time, you'll never know about it, but it's the thing that's keeping your phone up to date and protected against known threats. 

Why do manufacturers stop sending out security patches?

Manufacturers such as Samsung, Sony, Google and HTC only provide support to a phone for so long. Each new handset that's released and each new version of Android require new threat assessment and patching. That's a lot of work, and it means that finding and patching those holes for every single handset spanning years and years just becomes unfeasible. 


The HTC One M8, released in 2014, is no longer officially supported and doesn't get security patches.

Andrew Hoyle/CNET

As a result, Google and the phone-makers eventually have to cut off support for older handsets, usually once a device gets to be two or three years old. Those handsets then will no longer receive security updates, meaning that when a threat is detected on that phone, it simply won't be fixed. 

So is using an out-of-date phone safe?

As Christoph Hebeisen, director of the security intelligence company Lookout, explains, "We do not consider it safe to run a device that does not receive security patches. Critical security vulnerabilities become public knowledge every few weeks, or months, and once a system is out of support, then users who continue to run it become susceptible to exploitation of known vulnerabilities."

According to Hebeisen, a vulnerable phone could allow full access to everything that's on your phone, including your personal and company emails, contact information, your banking details or audio of your phone calls. A hacker could continue to have access to this information for as long as you continue using the compromised handset.

Paul Ducklin, principal research scientist at security company Sophos, agrees, saying, "If your phone has a software vulnerability that crooks already know how to exploit, for example to steal data or implant malware, then that vulnerability is going to be with you forever."

Read more: Best portable chargers and power banks to buy for Android in 2020


Check to see if your phone has the latest software installed. 

Andrew Hoyle/CNET

How do I know if my phone is too old?

Finding out if your phone is still supported and receiving security patches often isn't straightforward. To start, go into Settings and check your software updates. Install the latest version. Usually it'll give you some indication of when the phone was last updated. If your phone says it has the latest OS software, but that latest version was installed many months or years ago, it's bad news. Your phone is probably no longer supported. 

Sadly, manufacturers don't give you a warning that tells you when they've dropped support for a phone, so you either find out through a rude awakening like I mentioned above, or figure it out yourself through some other means.

A good rule of thumb is that a phone will no longer be supported if it's two to three years old. This varies from company to company, however. Google's older Pixel phones typically got three years of software updates, but it upped that to five years of guaranteed updates with the latest Pixel 6 and 6 Pro. Google also mandates that manufacturers must provide at least two years of updates for devices. Apple, by comparison, still provides software updates for phones going back over five years, because it has relatively few models to manage. The latest iOS 15.1 can be installed on 2015's iPhone 6S ($210 at eBay).


Despite having the latest software installed, this Galaxy S6's last security update was applied in 2018. That means that there are two years of new exploits that this phone is susceptible to.

Andrew Hoyle/CNET

Finding out if your Android phone is supported will involve some digging. I found Nokia's tool for seeing updates of its phones after going through a series of support pages on its website. Samsung sent me its list after I contacted its PR team, and it's available online here. Google has a page that clearly tells you when your Pixel or Nexus phone will lose security support. (Spoiler alert: All Nexus phones and the first three generations of Pixel -- including 2018's Pixel 3 -- are all out of support.) Your best place to start is with the support pages on your phone manufacturer's website.

You might not notice immediately if your phone is out of date. The most obvious sign you're on old software might be when you look for new apps to download. Many apps will simply be incompatible due to the software and hardware limitations on your phone and you won't be able to install them. 

How can I tell if my phone has been hacked?

Whether you'd ever notice if your phone's security was compromised is difficult to say. Cybercriminals don't exactly make it known they've accessed your device, so you'll need to look for signs. Popups that might appear on the phone are a big giveaway, as are any apps that suddenly appear that you didn't download.

Look out for unexplained high data usage too, as it could be that malicious apps are using a lot of data in the background. Other indicators can also include unusually high battery usage and sluggish performance, but both of these can also be attributed to using older hardware that degrades over time.

How can I keep myself safe if I have an old phone? 

As Hebeisen says, the best way to keep yourself safe is simply to not use a phone that's no longer supported. If you're short on money, can't afford to upgrade just yet or you're using an older phone temporarily for whatever reason, there are a couple of things you can do that could help. 


The Galaxy S6 was released in 2015, making it six years old. Most phones are only supported for two to three years. 

Andrew Hoyle/CNET

First, you should make sure the phone has the latest software installed. If you bought it used, make sure to fully factory-reset the phone. Ensure that you only download apps from the Google Play Store (rather than from third-party or unofficial app stores) and certainly avoid installing apps by downloading the APK file from a website. This can often be a way that malicious software weasels its way into a phone.

You can help protect your personal information by simply not giving too much away in the first place. Don't do any banking on the phone, don't sync your company email accounts and don't send sexy pictures or have sexy video chats until you're back on a protected device. (Even over a phone, it's important to practice safe sex.) According to Hebeisen, if you don't take such precautions, "this might enable an attacker to observe and manipulate almost everything happening on the device." That's a cold shower, right there.

Read more: The best Android VPNs of 2020

Now playing: Watch this: Android 10: Tips and tricks