With top-end smartphones like theand costing over $1,000, and even Google's more approachable coming in at $899, buying today's best new phones is simply out of the question for many of us. It's tempting, then, to consider buying a cheap older or used phone from eBay. And why not? The hardware is usually more than capable of handling what you need it to, and it's more environmentally friendly to keep using phones for longer, rather than sending them to a landfill.
The problem is that phones released years ago might run outdated versions of Android or iOS, which means they often don't have critical security updates that can keep you -- and your data -- safe from prying eyes. Though the hardware itself is often fine to keep using, particularly if you don't crave the best cameras or fastest processors, the lack of security support means that older phones could be far less safe. If you're concerned about security and privacy -- and you should be -- here are some things to consider.
What is a security patch for a phone OS?
Whenever hackers discover a new hole in your phone's software to exploit, phone-makers usually get it fixed, and that fix is sent out to your phone to make sure that nobody can take advantage of it. That's a security patch. You'll likely have received plenty of them over time as cybercriminals are always trying to find new ways to circumvent the security on your phone. It's a continual cycle of identifying threats, solving them, then finding the next one.
Most of the time, you'll never know about it, but it's the thing that's keeping your phone up to date and protected against known threats.
Why do manufacturers stop sending out security patches?
Manufacturers such as Samsung, Sony, Google and OnePlus only provide support to a phone for so long. Each new handset that's released and each new version of Android requires new threat assessment and patching. That's a lot of work, and it means that finding and patching those holes for every single handset spanning years and years just becomes unfeasible.
As a result, Google and the phone-makers eventually have to cut off support for older handsets, usually once a device gets to be two or three years old. Those handsets then will no longer receive security updates, meaning that when a threat is detected on that phone, it simply won't be fixed.
So is using an out-of-date phone safe?
As Christoph Hebeisen, director of the security intelligence company Lookout, explained, "We do not consider it safe to run a device that does not receive security patches. Critical security vulnerabilities become public knowledge every few weeks, or months, and once a system is out of support, then users who continue to run it become susceptible to exploitation of known vulnerabilities."
According to Hebeisen, a vulnerable phone could allow full access to everything that's on your phone, including your personal and company emails, contact information, your banking details or audio of your phone calls. A hacker could continue to have access to this information for as long as you continue using the compromised handset.
Paul Ducklin, principal research scientist at security company Sophos, agrees. "If your phone has a software vulnerability that crooks already know how to exploit, for example to steal data or implant malware, then that vulnerability is going to be with you forever," he said.
How do I know if my phone is too old?
Finding out if your phone is still supported and receiving security patches often isn't straightforward. To start, go into Settings and check your software updates. Install the latest version that's available. Usually it'll give you some indication of when the phone was last updated. If your phone says it has the latest OS software, but that latest version was installed many months or even years ago, it's bad news. Your phone is probably no longer supported.
Sadly, manufacturers don't give you a warning that tells you when they've dropped support for a phone, so you either find out through a rude awakening like I mentioned above, or figure it out yourself through some other means.
A good rule of thumb is that a phone will no longer be supported if it's two to three years old. This varies from company to company, however. Google's older Pixel phones typically got three years of software updates, but it upped that to five years of guaranteed updates with the Pixel 6 and 6 Pro. Google also mandates that manufacturers must provide at least two years of updates for devices. Apple, by comparison, still provides software updates for phones going back almost seven years, because it has relatively few models to manage.
Finding out if your Android phone is supported will involve some digging. I found Nokia's tool for seeing updates of its phones after going through a series of support pages on its website. Samsung sent me its list after I contacted its PR team, and it's available online here. Google has a page that clearly tells you when your Pixel or Nexus phone will lose security support. (Spoiler alert: All Nexus phones and the first three generations of Pixel -- including 2018's Pixel 3 -- are all out of support.) Your best place to start is with the support pages on your phone manufacturer's website.
You might not notice immediately if your phone is out of date. The most obvious sign you're on old software might be when you look for new apps to download. Many apps will simply be incompatible due to the software and hardware limitations on your phone and you won't be able to install them.
How can I tell if my phone has been hacked?
Whether you'd ever notice if your phone's security was compromised is difficult to say. Cybercriminals don't exactly make it known they've accessed your device, so you'll need to look for signs. Popups that might appear on the phone are a big giveaway, as are any apps that suddenly appear that you didn't download.
Look out for unexplained high data usage too, as it could be that malicious apps are using a lot of data in the background. Other indicators can also include unusually high battery usage and sluggish performance, but both of these can also be attributed to using older hardware that degrades over time.
How can I keep myself safe if I have an old phone?
As Hebeisen says, the best way to keep yourself safe is simply to not use a phone that's no longer supported. If you're short on money, can't afford to upgrade just yet or you're using an older phone temporarily for whatever reason, there are a couple of things you can do that could help.
First, you should make sure the phone has the latest software installed. If you bought it used, make sure to fully factory-reset the phone. Ensure that you only download apps from the Google Play Store (rather than from third-party or unofficial app stores) and certainly avoid installing apps by downloading the APK file from a website. This can often be a way that malicious software weasels its way into a phone.
You can help protect your personal information by simply not giving too much away in the first place. Don't do any banking on the phone, don't sync your company email accounts and don't send sexy pictures or have sexy video chats until you're back on a protected device. (Even over a phone, it's important to practice safe sex.) According to Hebeisen, if you don't take such precautions, "this might enable an attacker to observe and manipulate almost everything happening on the device." That's a cold shower, right there.