It’s easy enough to drop more than $1,000 on a flagship phone like the Samsung Galaxy S20 Ultra or an iPhone 11 Pro, and those eye-watering prices can also make you turn to a refurbished phone that comes at the fraction of the price. It’s not hard to find a second-hand HTC, Sony, or Samsung Galaxy handset that’s in good condition, but what about the security? 

Old phones have old, outdated Android systems running on them. When the OS is old, there’s a good chance they don’t have the up-to-date security patches, explained Andrew Hoyle in a recent cnet article. Without the latest security updates, is your data actually safe from nefarious hackers? If you’re using an older handset, or thinking about buying one, there are some things that you should be taking into account. 

What exactly is the issue? 

Hackers are constantly trying to find vulnerabilities in phone software, and when they find a way in the phone makers usually fix it up and send a software update to your phone so you can’t fall victim. This is the basics of a security patch.

Over the life of your phone, you’ll have had plenty of them come through as the phone manufacturers battle with cybercriminals to find ways to get into your phone. Identify threat; find a fix; send it out to phones – it’s a continuing cycle of security.

You’ve probably barely ever noticed it, but this is how your phone is kept up to date and protected from threats.

Why do the patches stop?

The companies that make phones, like Google, Samsung, HTC, and Sony, will only work on these patches for so long. Whenever a new phone is released or a new version of Android comes on the market, there needs to be new threat assessments and patches designed and implemented. There’s a lot of work involved in keeping your phone safe, and doing that work for every OS version for every single phone ever made just isn’t possible. 

The HTC One M8, released in 2014, is no longer officially supported and doesn’t get security patches. Image credit: cnet.com

With time and costs to consider, Google and the hardware makers both cut off their support for old handsets, typically around two to three years after release. At that point, the handsets get no more security updates, so even if there’s a vulnerability that gets uncovered, you’re on your own.

How safe is using an out-of-date phone?

The director of security intelligence company Lookout, Christoph Hebeisen, explains, “We do not consider it safe to run a device that does not receive security patches. Critical security vulnerabilities become public knowledge every few weeks or months, and once a system is out of support, then users who continue to run it becomes susceptible to exploitation of known vulnerabilities.”

Check to see if your phone has the latest software installed. Image credit: cnet.com

Hebeisen reckons that if your phone becomes vulnerable, someone could get unlimited access to everything on your phone – your personal and work email, your contacts, all of your banking information, and even recordings of your phone calls. As long as you use a compromised phone, this information will always be available to the hacker. 

Sophos is a security company, and their principal research scientist Paul Ducklin said, “If your phone has a software vulnerability that crooks already know how to exploit, for example, to steal data or implant malware, then that vulnerability is going to be with you forever.”

How to tell if my phone isn’t getting patches anymore?

It’s not always so easy to find out if your phone is still getting supported with security updates. First, you can go into your Settings and see if you’ve got a software update pending; if so, make sure you get the most up to date version. This should give you an idea of when your phone last got an update. If you can see from your settings that your OS software last got updated months or years ago, chances are it’s not getting supported by the maker anymore. 

Despite having the latest software installed, this Galaxy S6’s last security update was applied in 2018. That means that there are two years of new exploits that this phone is susceptible to. Image credit: cnet.com

There’s no warning from the manufacturer when your phone gets dropped from the update roster. You need to find out yourself through looking at your update history or figuring out some other way. 

It’s pretty standard for a phone to not get supported two to three years after release, so that’s a decent rule of thumb. Even with the most recent software updates, the Galaxy S6, which was released back in 2015, last got a security update back in 2018, so anything that came up as a security issue since then hasn’t been dealt with. It’s not set in stone though, and different companies decide these things differently. As an example, Google says that it still runs updates for versions 8.0, 8.1, 9.0, and 10 of the Android OS. Pixel phones are updated for “at least three years” after the model’s launch and Google tells all manufacturers using Android that at least two years of updates must be provided. In comparison, Apple gives software updates for hardware that’s up to five years old, since there are only a few models and iOSs to manage. The most recent iOS, number 13, works as far back as the iPhone 6S from 2015. 

You’ll need to put a little effort into confirming if your Android phone is still being supported. There’s a Nokia tool that lets you see the updates it has sent out to phones, but it takes some trawling through multiple support pages on their company website. Hoyle was able to get a list of unsupported handsets from Samsung’s PR team, and there’s an online list you can check out. There’s a simple Google page that will tell you if your Nexus or Pixel is still getting security support, and if you don’t want to bother looking – no Nexus phones get security updates, the first Pixel doesn’t, and the Pixel 2 will lose support come October 2020. If you want to go digging, your first port of call should be the website of your manufacturer and check out their support pages.

There isn’t an immediate change that you’ll notice when your phone becomes outdated. The first thing that might give you a hint is when you start trying to download new apps. A lot of new apps just don’t work with older phones because they’re generally made for the most recent software and hardware specs, an old phone just won’t be able to handle them. 

If I’ve been hacked, how do I know?

It’s not too easy to tell if the security of your phone has ever been compromised. By design, a cybercriminal is going to try and keep their accessing of your phone on the down low, so you need to look for subtle signs. There are pop-ups that might start appearing that can be a big hint, along with apps on your phone that you didn’t put there. 

If your data usage is unusually and unexplainably high, this is another sign you might have some malicious apps that are running in the background. A fast-draining battery and poor performance in terms of speed can also be signs you’ve been hacked, but are also common in older phones in general. 

What can I do to shore up my old phone? 

If you were to follow Hebeisen’s advice to the T, you wouldn’t be using an old phone that’s not supported anymore. That’s not always practical due to budgets, so if you’ve not got the dollars to invest in an upgrade, or you’re stuck with an older handset for other reasons, there are some steps you can take to get a little extra protection.

The Galaxy S6 was released in 2015, making it five years old. Most phones are only supported for two to three years. Image credit: cnet.com

The first thing that you can do is to ensure that you’ve got the most up-to-date software installed. When you’ve bought a second-hand device, be sure to do a full factory reset, even if the retailer says that it’s already been done. Make sure any apps that you put on to your phone come directly from Google Play Store rather than using any unofficial or third-party app stores. Definitely don’t go installing apps through downloading an APK file off a website. This is a standard gateway for malware to burrow its way onto your phone.

Keep your personal information secure by not putting it out there to start. If you’re working off an old phone, don’t use your banking apps on it, keep your work email away from it, and don’t do any NSFW sexy stuff until you’ve got a hack-proof, newer phone – safe sex is just as important on phones!

Hebeisen says that if you’re not taking these types of precautions, “this might enable an attacker to observe and manipulate almost everything happening on the device.” And now you’ve just got phone woke.