When does an old iPhone become unsafe to use?
Posted on
by
Kirk McElhearn and Joshua Long
Some people upgrade to a new iPhone every year, to get the latest cameras or other features. But if you’re like most people, you keep your phone for several years before upgrading to a newer model. Perhaps you mainly use your iPhone for the basics, or feel that as long as it isn’t broken and the battery still holds a charge, there’s no real reason to upgrade. (In fact, Apple will even replace the battery for you at a reasonable price, if yours has lost too much of its capacity.)
However, you might not be aware that there’s a real danger in using an iPhone for too long. Specifically, if an iPhone can no longer run the latest version of Apple’s iOS operating system, it will miss out on a lot of critical security updates. Vulnerabilities that remain unpatched can put you at risk.
In this article, we’ll explain in greater detail why using an old iPhone can be dangerous, and which iPhone models are safe to buy in 2024. (See also our articles about when old Macs become unsafe to use and when old iPads become unsafe to use.)
- The risk of not getting security updates: zero-day and zero-click exploits
- Apple’s patching policy provides a false sense of security
- When should you upgrade your iPhone?
- Which devices can run the latest version of iOS?
- Key takeaways
- How can I learn more?
The risk of not getting security updates: zero-day and zero-click exploits
Apple regularly issues security updates for all its platforms, and some of these updates patch “zero-day vulnerabilities,” which are serious vulnerabilities that are being actively exploited in the wild. This means that they are not merely theoretical vulnerabilities; any device that doesn’t get updated is at risk of becoming compromised (hacked) by threat actors. Most users don’t think much about this, but there is a real danger to not getting security updates for your iPhone.
Zero-click vulnerabilities
The most serious of these are what are called “zero-click” vulnerabilities. This type of vulnerability exploits weaknesses in the operating system to compromise devices—without the user doing anything at all. You don’t have to get tricked into launching an app or tapping on a link to a website. Many of these exploits take advantage of vulnerabilities that occur when, for example, a preview of a webpage or photo is displayed in the Messages or Mail apps.
Zero-click exploits can even infect your device when it’s completely locked, just sitting there on your Lock Screen. It is well known that the NSO Group’s Pegasus spyware has used zero-click exploits in its arsenal of attacks, which have targeted the iPhones of politicians, journalists, and activists. Most of these attacks attempt to compromise devices belonging to specific people in order to gain intelligence. (See our story archives about Pegasus and zero-click exploits.)
Most average users don’t necessarily have to worry about Pegasus or similar nation-state spyware, per se. However, eventually the details about the vulnerabilities used by Pegasus and other spyware will come to light. (Notably, Apple gives some details about most of the vulnerabilities it patches. Moreover, savvy experts are able to reverse-engineer Apple’s patches to see exactly how a vulnerability was fixed—and how to exploit it on unpatched devices.) In other words, today’s nation-state attacker’s vulnerability could become part of tomorrow’s everyday cybercriminal’s arsenal. And at that point, if your iPhone or other Apple devices are not up-to-date, then you are at risk from more widespread attacks.
WebKit vulnerabilities affect all iOS browsers
Some vulnerabilities that Apple patches in its security updates involve WebKit, the rendering engine used by the Safari Web browser. In fact, as of March 2024, all third-party browsers on iOS and iPadOS use WebKit; Apple’s App Store policies prohibit browsers like Firefox and Chrome from bringing their own engines. (This may change later in 2024, specifically in the EU; developers now have the option to distribute non-WebKit versions of their browsers through third-party app marketplaces.)
Not having a fully up-to-date iOS version means that your iPhone could be compromised by simply browsing to a hacked or malicious site, or even when you view a malicious email with embedded rich Web content.
Apple’s patching policy provides a false sense of security
Apple regularly issues security updates for the current operating systems of all its devices. They occasionally issue security updates for the previous versions of their operating systems, but it’s important to be aware that updates for older Apple OS versions don’t patch all vulnerabilities. (In certain cases, some vulnerabilities patched in today’s operating system might not have existed in last year’s operating system, but perhaps more often than not, Apple simply chooses not to back-port a patch.)
Continuing to use the previous operating system version any Apple device on can be risky. Running an Apple device on an operating system older than the previous one is even more dangerous, because Apple has, in many cases, almost completely (or completely) stopped issuing updates.
Unfortunately, Apple doesn’t make this transparent to users. If you’re still using an iPhone 8 or X today, for example, your device cannot run iOS 17—but you’re still getting occasional security updates pushed to your device for iOS 16. Unless you read The Mac Security Blog, you’re probably blissfully unaware that iOS 16 isn’t fully patched, which means it’s much less safe to use than iOS 17. As just one recent example, iOS 17.4 addressed 39 vulnerabilities that have CVE numbers assigned, while the corresponding iOS 16 update only patched 19 CVEs—about half as many.
Put more bluntly, Apple gives a false sense of security by providing an incomplete set of patches to the “current minus one” OS, leaving users vulnerable but thinking they’re protected. The same is not just true for iOS 16, but also for iPadOS 16 and macOS Ventura as well. Based on Apple’s history over the past several years, we have every reason to expect that the same will be true when future operating systems come out that replace iOS 17, iPadOS 17, and macOS Sonoma; the “one version old” older operating systems might still get patches, but will be significantly less safe to use, and significantly more vulnerable to exploitation.
When should you upgrade your iPhone?
Many people assume that an iPhone, if it hasn’t been damaged, should last for about three years. The age at which people have traded in iPhones has increased in recent years, and now the average trade-in age is nearly three and a half years. But this masks the fact that many people don’t trade in old phones; they may keep using them for many years, or pass them on to friends or family members. And remember that that’s just the average; while some people upgrade yearly, others wait five, six, or seven years or longer before buying a new iPhone.
In order to get the maximum value out of an iPhone purchase, it makes the most sense to buy new flagship models when they are first released, usually in the fall of each year. This will help ensure that you get as many years as possible out of your purchase (as we will continue to explore further in this article). The main thing to know is that when you buy a brand-new model, you can rest assured that it will get the maximum number of years of major new iOS releases—and that means the maximum number of years of security updates, too.
Which devices can run the latest version of iOS?
For many years, Apple ensured that old devices were able to run the latest version of iOS. You could have bought a new iPhone in late 2015 that was still getting security updates seven years later. Until iOS 16, which was released in late 2022, you could still run the latest version of iOS on an iPhone as old as the iPhone 6S. In fact, the iPhone 6S had been the cutoff for devices supporting the latest version of iOS since iOS 13 (see the chart below).
In late 2023, Apple filed a regulatory document in the UK stating that they would provide updates for a minimum of five years from the date of first sale. This means that an iPhone first sold in September 2023 would be guaranteed to get security updates until at least September 2028. In June 2024, Apple announced the release of iOS 18, and stated that iPhones as old as the iPhone XS and iPhone XR would be able to run the new operating system. These devices were released in late 2018, so that means that they will effectively have at least seven years of updates, until the release of iOS 19. (Which they may or may not be able to run.) So, in practice, Apple is offering more than five years of updates.
Many iPhone users don’t buy immediately after a new model comes out; some may wait until the early-fall sales in anticipation of the next model’s release, to save a bit of money. This isn’t necessarily a great idea from a security perspective, if you want to maximize the number of years you can safely get out of that device—but most people are completely unaware of this.
According to Apple’s own statistics (as seen in the chart below), as of June 2024, 14% of all iPhones were still running iOS 16—which means their operating system was likely at least several months old.
And worse yet, an additional 9% of all iPhones were running a version of iOS older than iOS 16—meaning their operating system was at least three years old. Many of these may be devices older than the iPhone 8, 8 Plus, or X, which were able to run iOS 16, but some may also be devices whose owners have simply not upgraded iOS, for a variety of reasons.
In total, 23%—nearly one fourth—of all iPhones were running an outdated operating system, and susceptible to being exploited with known vulnerabilities.
As an aside, even if we focus on just the iPhone models introduced in the past four years—all of which are iOS 17 compatible—11% of them were still running iOS 16, and an additional 3% were running something older than that. On the surface, that means that nearly 1 in 7 recent iPhones are running a very old, outdated, and insecure operating system.
(Of course, if we were able to dig deeper into which specific versions of iOS users were running, we would likely see that even amongst iOS 17 users, relatively few are installing every iOS update quickly and staying fully patched at any given time.)
iPhones no longer supported by iOS 17
Several phones that had been iOS-upgradable for years no longer receive full security updates as of the release of iOS 17 in September 2023. Only the iPhone XS and XR or later can run iOS 17, and the some devices will be able to run iOS 18 when it is released in the fall of 2024.
To be fair, Apple doesn’t cut off devices as soon as some Android manufacturers do; some Android phones only get three years of security updates from the first sale date for a given model.
Think twice before buying an old model, no matter how good a “deal” it may seem
If you’re thinking about buying an old model of iPhone, or a refurbished unit, beware that its safe lifespan is limited. The same is true if you hand an iPhone down to a family member; it’s important to ensure that the model in question will still get major iOS updates for as long as you plan to use it.
Apple always sells one or two older model iPhones, still new in box, alongside the latest model. From Apple’s perspective, this is a good way to reach a lower-income or more price-conscious audience, by offering iPhones that are less expensive than the newest version. For now, Apple is still selling the iPhone 13 and iPhone 14, alongside the newest model, the iPhone 15. If we look at refurbished models, Apple is even still selling the iPhone 12.
Apple is also selling the iPhone SE (3rd generation), which is the least expensive “new” model. It’s actually more than two years old, but a 4th-gen model hasn’t been announced as of when this article was last updated.
It’s pretty safe to buy an iPhone 14, as it is likely to get security updates for at least four more years. However, released in late 2020, the iPhone 12 is already well over three years old. It’s very possible that if you buy one now, you may not get even three years of security updates for it. The latest iPhone SE (3rd generation) was released in March 2022, so it likely still has at least a few years of support ahead of it, and it may outlast the iPhone 12 when it comes to major iOS upgrades. It’s probably not a great idea to buy an iPhone 12 at this point.
(See our iPhone buyers guide to choose which model is best for you.)
What about refurbished iPhones?
As we touched upon, Apple also sells some refurbished iPhone units. As of today, the oldest iPhone that is currently listed on Apple’s website is the iPhone 12 in both the U.S. and UK stores. This model will be able to run iOS 18, but it’s entirely possible that, come iOS 19 in fall 2025, Apple may no longer support this model. In theory, this means that you could potentially buy an iPhone 12, directly from Apple, that may only be safe to use for between one and two years before it no longer receives security updates.
This is not as bad as Apple selling the Apple Watch Series 3 new after it had stopped getting security updates; it was unconscionable to sell a device that had already been cut off. Apple even continued to sell the Apple Watch Series 3 refurbished for eight months after its final security update.
Should you buy a used, refurbished, or “new in box” older model of iPhone, from a third party?
You can buy used, refurbished, or even (ahem) “new” older iPhone models from many sources; Amazon sells them, eBay sellers always have plenty of stock, and mobile carriers’ stores may sell them as well. If you shop around, you’ll likely see iPhone X models, and even older. You may think you’re getting a good deal by buying an old iPhone at a super discount, but doing so may put you at risk. It may either have already been cut off from the latest major iOS version, or it may soon lose that benefit a few months from now, or in a little over a year—and that means you could be cut off from some important security updates.
What about the iPhone SE?
The current model of iPhone SE (3rd Gen) was released in March 2022, a little over three years ago as of this article’s publication date. New iOS versions are typically released around September. It’s a fairly safe assumption that, based on Apple’s past practices, this model is likely to get roughly 4.5 more years of major iOS upgrades (give or take a year).
A “brand new” third-generation iPhone SE from Apple starts at $429. If you shop around, you can probably find one for $300 or less. (In fact, it’s often thrown in for free when activating new service or when adding a new line.) Averaging out the one-time $300–429 over the device’s optimal-security lifespan of roughly 4.5 more years, the iPhone SE (3rd Gen) would cost you around $5–8 per month until you’d need to consider upgrading to a newer model. At that point, you’d probably need to spend roughly the same amount of money to buy the latest iPhone SE or equivalent budget model.
All told, it could cost you as little as $5 per month, on average, to always have a fully supported iPhone model capable of running the latest major iOS version.
Key takeaways
Not everyone can afford to buy a brand new iPhone model every one to three years, but it isn’t really necessary to. Buying an older model to save money can certainly be tempting. However, assuming you typically use the same iPhone for several years, it’s important to be aware that if you buy one that is more than a couple of years old, it may end up becoming unsafe before you know it. Even if you buy it from Apple.
So when is the best time to buy? If you want to get the maximum lifespan out of your iPhone purchase, buy it when the model is brand new—as soon as the new flagship model comes out, which is usually in the fall. If you want to keep using an iPhone for as many years as possible, avoid buying models that are more than a year old; these models will get cut off from major iOS upgrades sooner than newer devices, which will make them unsafe to use in a much shorter timeframe.
If you’re on a tight budget, consider getting the latest model of iPhone SE; 3rd generation is the latest as of when this article was last updated. You might even be eligible to get an SE for “free” (bundled with a monthly service contract) from a mobile phone carrier. Given that Apple’s still selling it for the same $429 as when it was brand new two years ago, if you need to buy one, you may want to get a new-in-box sealed unit from a third party to save some money.
How can I learn more?
You may also be interested in Intego Chief Security Analyst Josh Long’s FAQ thread on 𝕏/Twitter addressing common misconceptions about iPhone security updates (click to read the full post and thread):
⚠️ I’m seeing a ton of misinformation about iPhone security updates. Apparently almost nobody on 𝕏 has a correct understanding of this.* 🤦🏼♂️ Allow me to help set the record straight. 🍏🔒
*This is a strong argument for why Apple needs to make public commitments about how long it… pic.twitter.com/3OxIiX99jK
— Josh Long (the JoshMeister) (@theJoshMeister) October 5, 2023
If you’re a Mac user, see also our related article, When does an old Mac become unsafe to use?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
Header graphic credits: iPhone X image by Rafael Fernandez (CC BY-SA 4.0); “Stairway To Heaven?” image by Richard Walker (CC BY 2.0); cane via Twemijo 12.1.6 (CC BY 4.0); beard by OseBoi (free); glasses by Clker (PD); compilation by Joshua Long for Intego.
