Some people upgrade to a new iPhone every year, to get the latest cameras or other features. But if you’re like most people, you keep your phone for several years before upgrading to a newer model. Perhaps you mainly use your iPhone for the basics, or feel that as long as it isn’t broken and the battery still holds a charge, there’s no real reason to upgrade. (In fact, Apple will even replace the battery for you at a reasonable price, if yours has lost too much of its capacity.)
However, you might not be aware that there’s a real danger in using an iPhone for too long. Specifically, if an iPhone can no longer run the latest version of Apple’s iOS operating system, it will miss out on a lot of critical security updates. Vulnerabilities that remain unpatched can put you at risk.
In this article, we’ll explain in greater detail why using an old iPhone can be dangerous, and which iPhone models are safe to buy in 2023. (See also our article about when old Macs become unsafe to use.)
- The risk of not getting security updates: zero-day and zero-click exploits
- Apple’s patching policy provides a false sense of security
- When should you upgrade your iPhone?
- Which devices can run the latest version of iOS?
- Key takeaways
- How can I learn more?
The risk of not getting security updates: zero-day and zero-click exploits
Apple regularly issues security updates for all its platforms, and some of these updates patch “zero-day vulnerabilities,” which are serious vulnerabilities that are being actively exploited in the wild. This means that they are not merely theoretical vulnerabilities; any device that doesn’t get updated is at risk of becoming compromised (hacked) by threat actors. Most users don’t think much about this, but there is a real danger to not getting security updates for your iPhone.
The most serious of these are what are called “zero-click” vulnerabilities. This type of vulnerability exploits weaknesses in the operating system to compromise devices—without the user doing anything at all. You don’t have to get tricked into launching an app or tapping on a link to a website. Many of these exploits take advantage of vulnerabilities that occur when, for example, a preview of a webpage or photo is displayed in the Messages or Mail apps.
Zero-click exploits can even infect your device when it’s completely locked, just sitting there on your Lock Screen. It is well known that the NSO Group’s Pegasus spyware has used zero-click exploits in its arsenal of attacks, which have targeted the iPhones of politicians, journalists, and activists. Most of these attacks attempt to compromise devices belonging to specific people in order to gain intelligence. (See our story archives about Pegasus and zero-click exploits.)
Most average users don’t necessarily have to worry about Pegasus or similar nation-state spyware, per se. However, eventually the details about the vulnerabilities used by Pegasus and other spyware will come to light. (Notably, Apple gives some details about most of the vulnerabilities it patches. Moreover, savvy experts are able to reverse-engineer Apple’s patches to see exactly how a vulnerability was fixed—and how to exploit it on unpatched devices.) In other words, today’s nation-state attacker’s vulnerability could become part of tomorrow’s everyday cybercriminal’s arsenal. And at that point, if your iPhone or other Apple devices are not up-to-date, then you are at risk from more widespread attacks.
WebKit vulnerabilities affect all iOS browsers
Some vulnerabilities that Apple patches in its security updates involve WebKit, the rendering engine used by the Safari Web browser. In fact, as of iOS 16, all third-party browsers on iOS and iPadOS use WebKit; Apple’s App Store policies prohibit browsers like Firefox and Chrome from bringing their own engines. (This may change beginning with iOS 17, if Apple is forced to allow third-party app stores.)
Not having a fully up-to-date iOS version means that your iPhone could be compromised by simply browsing to a hacked or malicious site, or even when you view a malicious email with embedded rich Web content.
Apple’s patching policy provides a false sense of security
Apple regularly issues security updates for the current operating systems of all its devices. They occasionally issue security updates for the previous versions of their operating systems, but it’s important to be aware that these updates don’t always patch all vulnerabilities. (In some cases, some vulnerabilities patched in today’s operating system might not have existed in last year’s operating system, but in other cases, Apple simply chooses not to back-port a patch.)
Continuing to use the previous operating system version any Apple device on can be risky. Running an Apple device on an operating system older than the previous one is even more dangerous, because Apple has, in many cases, almost completely (or completely) stopped issuing updates.
Unfortunately, Apple doesn’t make this transparent to users. If you’re still using an iPhone 7 today, for example, your device cannot run iOS 16—but you’re still getting security updates pushed to your device for iOS 15. Unless you read The Mac Security Blog, you’re probably blissfully aware that iOS 15 isn’t fully patched, which means it’s much less safe to use than iOS 16. As just one recent example, iOS 16 recently got Rapid Security Response updates for two actively exploited vulnerabilities, weeks before iOS 15 got those same vulnerabilities patched. And then when iOS 15 eventually got those patches, iOS 15 got less than half as many security fixes as iOS 16’s corresponding update.
Put more bluntly, Apple gives a false sense of security by providing an incomplete set of patches to the “current minus one” OS, leaving users vulnerable but thinking they’re protected. The same is not just true for iOS 15, but also for iPadOS 15 and macOS Monterey as well. We have every reason to expect that the same will be true when future operating systems come out that replace iOS 16, iPadOS 16, and macOS Ventura; the “one version old” older operating systems might still get patches, but will be significantly less safe to use, and significantly more vulnerable to exploitation.
When should you upgrade your iPhone?
Many people assume that an iPhone, if it hasn’t been damaged, should last for about three years. The age at which people have traded in iPhones has increased in recent years, and now the average trade-in age is nearly three and a half years. But this masks the fact that many people don’t trade in old phones; they may keep using them for many years, or pass them on to friends or family members. And remember that that’s just the average; while some people upgrade yearly, others wait five, six, or seven years or longer before buying a new iPhone.
In order to get the maximum value out of an iPhone purchase, it makes the most sense to buy new flagship models when they are first released, usually in the fall of each year. This will help ensure that you get as many years as possible out of your purchase (as we will continue to explore further in this article). The main thing to know is that when you buy a brand-new model, you can rest assured that it will get the maximum number of years of major new iOS releases—and that means the maximum number of years of security updates, too.
Which devices can run the latest version of iOS?
For many years, Apple ensured that old devices were able to run the latest version of iOS. You could have bought a new iPhone in late 2015 that was still getting security updates seven years later. Until iOS 16, which was released in late 2022, you could still run the latest version of iOS on an iPhone as old as the iPhone 6S. In fact, the iPhone 6S had been the cutoff for devices supporting the latest version of iOS since iOS 13 (see the chart below).
But Apple is may not always be so generous; the company doesn’t have any published policy regarding how many years a given iPhone model will continue to get major new iOS versions. Also, keep in mind that many iPhone users don’t buy immediately after a new model comes out; some may wait until the early-fall sales in anticipation of the next model’s release, just to save a bit of money. This isn’t necessarily a great idea from a security perspective, if you want to maximize the number of years you can safely get out of that device—but most people are completely unaware of this.
According to Apple’s own statistics (as seen in the chart below), as of February 2023, 8% of all iPhones were running a version of iOS older than iOS 15—which means their operating system is more than two years old. Many of these may be devices older than the iPhone 6S, which was able to run iOS 15, but some may also be devices whose owners have simply not upgraded iOS, for a variety of reasons.
As an aside, even if we focus on just the iPhone models introduced in the past four years—all of which are iOS 16 compatible—15% of them were still running iOS 15, and an additional 4% were running something older than that. On the surface, that means that nearly 1 in 5 recent iPhones are running a very old, outdated, and insecure operating system. (Of course, if we were able to dig deeper into which specific versions of iOS users were running, we would likely see that even amongst iOS 16 users, relatively few are installing every iOS update quickly and staying fully patched at any given time.)
iPhones no longer supported by iOS 17
Several phones that had been iOS-upgradable for years no longer receive full security updates as of the release of iOS 16 in September 2022. Only the iPhone 8 and X or later can run iOS 16. And with iOS 17 to be released in just a few months, Apple will be dropping the iPhone 8 and iPhone X from the compatibility list. (The oldest still-supported models will be the iPhone XR and iPhone XS.)
To be fair, Apple doesn’t cut off devices as soon as some Android manufacturers do; many Android phones only get three years of security updates from the first sale date for a given model.
Think twice before buying an old model, no matter how good a “deal” it may seem
If you’re thinking about buying an old model of iPhone, or a refurbished unit, beware that its safe lifespan is limited. The same is true if you hand an iPhone down to a family member; it’s important to ensure that the model in question will still get major iOS updates for as long as you plan to use it.
Apple always sells one or two older model iPhones, still new in box, alongside the latest model. From Apple’s perspective, this is a good way to reach a lower-income or more price-conscious audience, by offering iPhones that are less expensive than the newest version. For now, Apple is still selling the iPhone 12 and iPhone 13, alongside the newest model, the iPhone 14. Apple is also selling the iPhone SE (3rd generation), which is the least expensive new model. It’s pretty safe to buy an iPhone 13, as it is likely to get security updates for a few more years. However, released in late 2020, the iPhone 12 is already three years old. It’s very possible that, if you buy one now, you may not get even three years of security updates for it. The latest iPhone SE, released in March 2022, likely still has at least a few years of support ahead of it, and may outlast the iPhone 12 when it comes to major iOS upgrades. It’s probably not a great idea to buy an iPhone 12 at this point.
What about refurbished iPhones?
Apple also sells some refurbished iPhone units. As of today, the oldest iPhone that is currently listed on Apple’s website is the iPhone 11 in the U.S. and UK stores (though at the time of this writing, there are none in stock). Nothing suggests that this model won’t run iOS 17, but it’s entirely possible that, come iOS 18 in fall 2024, Apple may no longer support this model. In theory, this means that you could potentially buy an iPhone 11, directly from Apple, that may only be safe to use for a bit longer than a year before it no longer receives security updates.
This is not as bad as Apple selling the Apple Watch Series 3 new after it had stopped getting security updates; it was unconscionable to sell a device that had already been cut off. Apple even continued to sell the Apple Watch Series 3 refurbished for eight months after its final security update.
Should you buy a used, refurbished, or “new in box” older model of iPhone, from a third party?
You can buy used, refurbished, or even “new” older iPhone models from many sources: Amazon sells them, eBay sellers always have plenty of stock, and mobile carriers’ stores may sell them as well. If you shop around, you’ll likely see iPhone 8 models, and even older. You may think you’re getting a good deal buy buying an old iPhone at a super discount, but doing so may put you at risk. It may either have already been cut off from the latest major iOS version, or it may soon lose that benefit a few months from now, or in a little over a year—and that means you could be cut off from some important security updates.
What about the iPhone SE?
The current model of iPhone SE (3rd Gen) was released a little over a year ago as of this article’s publication date. It’s a fairly safe assumption that, based on Apple’s past practices, this model is likely to get at least five more years of major iOS upgrades.
A brand new third-generation SE from Apple starts at $429. If you shop around, you can probably find one for $300 or less. (In fact, it’s often thrown in for free when activating new service or when adding a new line.) Averaging out the one-time $300–429 over the device’s optimal-security lifespan of roughly five more years, the iPhone SE (3rd Gen) would cost you around $5–7 per month until you’d need to consider upgrading to a newer model. At that point, you’d probably need to spend roughly the same amount of money to buy the latest iPhone SE or equivalent budget model.
Not everyone can afford to buy a brand new iPhone model every one to three years. Buying an older model to save money can certainly be tempting. However, it’s important to be aware that if you buy one that is more than a couple of years old, it may end up becoming unsafe before you know it. Even if you buy it from Apple.
So when is the best time to buy? If you want to get the maximum lifespan out of your iPhone purchase, buy new, as soon as the new flagship model comes out, which is usually in the fall. If you want to keep using an iPhone for as many years as possible, avoid buying models that are more than a year old; these models will get cut off from major iOS upgrades sooner than newer devices, which will make them unsafe to use in a much shorter timeframe.
How can I learn more?
You may also be interested in Intego Chief Security Analyst Josh Long’s FAQ thread on 𝕏/Twitter addressing common misconceptions about iPhone security updates (click to read the full post and thread):
⚠️ I’m seeing a ton of misinformation about iPhone security updates. Apparently almost nobody on 𝕏 has a correct understanding of this.* 🤦🏼♂️ Allow me to help set the record straight. 🍏🔒
*This is a strong argument for why Apple needs to make public commitments about how long it… pic.twitter.com/3OxIiX99jK
— Josh Long (the JoshMeister) (@theJoshMeister) October 5, 2023
If you’re a Mac user, see also our related article, When does an old Mac become unsafe to use?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
Header graphic credits: iPhone X image by Rafael Fernandez (CC BY-SA 4.0); “Stairway To Heaven?” image by Richard Walker (CC BY 2.0); cane via Twemijo 12.1.6 (CC BY 4.0); beard by OseBoi (free); glasses by Clker (PD); compilation by Joshua Long for Intego.