Is an old phone actually unsafe?
Not by itself. A five-year-old phone that still receives security updates is safer than a two-year-old phone that does not. The real question is never really how old your phone is — it is whether the manufacturer is still patching it. This guide walks through why updates stop, what that actually means for your security, and how to check where your phone stands.
Why do phones stop getting updates?
Every phone has a support window — a set number of years the manufacturer promises security updates. When that window closes, the phone still works, but it stops receiving fixes. Keeping older hardware patched costs time and money, so manufacturers eventually shift their attention to newer models.
The key thing to understand is what end of support really means. Your phone does not suddenly break. It keeps making calls and running your apps. But underneath, it quietly stops getting the security repairs that keep it safe.
What is a CVE (in plain English)?
A CVE — short for Common Vulnerabilities and Exposures — is a publicly catalogued security flaw. Think of it as an official entry in a global list of known weaknesses in software, each with its own reference number, like CVE-2024-12345.
Security researchers find these flaws constantly. When one is found in your phone operating system, it is given a CVE number and, crucially, it becomes public knowledge. That means attackers know about it too.
Good to know
New CVEs are published every single day. Modern phones get monthly security patches specifically to close the ones that affect them.
Why an unsupported phone cannot be fixed
When a CVE is discovered, the manufacturer writes a patch — a small update that closes the hole — and ships it in a security update. That is the entire point of those monthly updates.
But a patch only reaches phones that are still supported. If your phone is past its support window, the flaw is known, it is public, and it will never be fixed on your device. Attackers count on this: an unsupported phone becomes a collection of open, documented doors that no one is ever going to lock.
Important
This is what makes an old phone genuinely risky — not its age, but a growing pile of known, unpatched flaws that anyone can look up.
How long do iPhones get security updates?
Apple does not publish a fixed number, but in practice iPhones receive security updates for roughly five to seven years after release — often longer than the Android average. Apple also occasionally issues emergency fixes for older iOS versions when a serious flaw is being actively exploited.
A simple rule: if your iPhone can install the latest major version of iOS, it is fully supported. If it is stuck a version or two behind and no longer offered updates, it is living on borrowed time.
How long do Android phones get security updates?
This varies a lot by brand. Google Pixel and the latest Samsung Galaxy phones now promise up to seven years of updates. Many budget and mid-range Android phones, though, get only two to four years — and some barely get updates at all.
Because Android is made by many different manufacturers, there is no single answer. The only reliable way to know is to check your specific phone support policy — here is how.
How to check if your phone is still supported
It takes about a minute.
On an iPhone:
- Open Settings -> General -> Software Update.
- If the latest iOS version is installed or offered, you are supported.
- If it is stuck on an older version and says no more updates are available, support has likely ended.
On Android:
- Open Settings and search for Security update (often under Security or About phone).
- Check the Android security update date. If the newest available patch is more than a few months old, your phone may no longer be supported.
- Search your phone maker website for its update policy to confirm the support window for your model.
When should you replace your phone?
You do not need to rush out and buy a new phone the moment support ends — but you should treat it as a clear signal. Once your phone stops getting security updates, plan to replace it, and in the meantime be extra careful with anything sensitive on it.
Tip
A good rule of thumb: if your phone no longer gets security updates and you use it for anything sensitive — banking, email, work — it is time to upgrade.
Safer options if you cannot upgrade yet
If replacing your phone is not possible right now, you can still reduce the risk:
- Keep your apps updated — they often still update even when the operating system does not (though this is not a full fix).
- Avoid banking, work logins and other sensitive activities on the unsupported device.
- Remove apps you no longer use, and be extra wary of links and downloads.
- Turn on a screen lock and two-factor authentication on your important accounts.
If privacy and long-term security really matter to you, it is also worth looking at phones built specifically for it. See our guide to privacy-focused phones.
Was this guide helpful?
Know someone who needs this? Send them the guide.
JD
Written by
Jordan DicksonFounder, CyberSecurityGuides
Founder of CyberSecurityGuides, writing practical, jargon-free guides that help everyday people recover from and protect against online attacks.
Reviewed by CSG Security Engineers