When Apple stops issuing security updates for older iPads, they become unsafe to use. But exactly how long can you safely keep using an old iPad?
Although many people upgrade their iPhones every year or two, they tend to hold onto iPads much longer. This makes sense: most people don’t carry an iPad around with them all the time, and it doesn’t get the same wear and tear that an iPhone does.
You might not be aware that there’s a real danger in using an iPad for too long. If a device can no longer run the latest version of Apple’s iPadOS operating system, it will miss out on a lot of critical security updates. Vulnerabilities that remain unpatched can put you at risk.
In this article, we’ll explain why using an old iPad can be dangerous, and which iPad models are safe to buy in 2024. (See also our articles about when old iPhones become unsafe to use and when old Macs become unsafe to use.)
Apple regularly issues security updates for all its platforms, and some of these updates patch “zero-day vulnerabilities,” which are serious vulnerabilities that are being actively exploited in the wild. This means that they are not mere proof-of-concept vulnerabilities; any device that doesn’t get updated is at risk of becoming compromised (hacked) by threat actors. Most users don’t think much about this, but there is a real danger of not getting security updates for your iPad.
The most serious of these are what are called “zero-click” vulnerabilities. This type of vulnerability exploits weaknesses in the operating system to compromise devices—without the user doing anything at all. You don’t have to get tricked into launching an app or tapping on a link to a website. Many of these exploits take advantage of vulnerabilities that occur when, for example, a preview of a webpage or photo is displayed in the Messages or Mail apps.
Zero-click exploits can even infect your device when it’s completely locked, when push notifications display on your Lock Screen. It is well known that the NSO Group’s Pegasus spyware has used zero-click exploits in its arsenal of attacks, which have targeted the devices of politicians, journalists, and activists. Most of these attacks attempt to compromise devices belonging to specific people in order to gain intelligence. (See our story archives about Pegasus and zero-click exploits.)
Most users don’t need to worry about Pegasus or similar nation-state spyware, per se. However, eventually, the details about the vulnerabilities used by Pegasus and other spyware will come to light. (Notably, Apple gives some details about most of the vulnerabilities it patches. Moreover, savvy experts are able to reverse-engineer Apple’s patches to see exactly how a vulnerability was fixed—and how to exploit it on unpatched devices.) In other words, today’s nation-state attacker’s vulnerability could become part of tomorrow’s everyday cybercriminal’s arsenal. And at that point, if your Apple devices are not up-to-date, then you are at risk from more widespread attacks.
Some vulnerabilities that Apple patches in its security updates involve WebKit, the rendering engine used by the Safari Web browser. In fact, as of July 2024, all third-party browsers on iOS and iPadOS use WebKit; Apple’s App Store policies prohibit browsers like Firefox and Chrome from using their own engines. (In the EU, developers now have the option to distribute non-WebKit versions of their browsers through third-party app marketplaces, but not via Apple’s official App Store.)
Not having a fully up-to-date iPadOS version means that your iPad could be compromised by simply browsing a hacked or malicious site, or even when you view a malicious email with embedded rich Web content.
Apple regularly issues security updates for the current operating systems of all its devices. They occasionally issue security updates for the previous versions of their operating systems, but it’s important to be aware that updates for older Apple OS versions don’t patch all vulnerabilities. (In certain cases, some vulnerabilities patched in today’s operating system might not have existed in last year’s operating system, but perhaps more often than not, Apple simply chooses not to back-port a patch.)
Continuing to use the previous operating system version with any Apple device can be risky. Running an Apple device on an operating system older than the previous one is even more dangerous, because Apple has, in many cases, almost completely (or completely) stopped issuing updates.
Unfortunately, Apple doesn’t make this transparent to users. If you’re still using an iPad (5th generation) today, for example, your device cannot run iPadOS 17, but you may still get occasional, partial security updates pushed to your device for iPadOS 16. Unless you read The Mac Security Blog, you’re probably unaware that iPadOS 16 isn’t fully patched, which means it’s much less safe to use than iPadOS 17. As just one recent example, iPadOS 17.4 addressed 39 vulnerabilities that have CVE numbers assigned, while the corresponding iPadOS 16 update only patched 19 CVEs—about half as many.
Put more bluntly, Apple gives a false sense of security by providing an incomplete set of patches to the “current minus one” OS, leaving users vulnerable but thinking they’re protected. The same is not just true for iPadOS 16, but also for iOS 16 and macOS Ventura. Based on Apple’s history over the past several years, we have every reason to expect that the same will be true for the upcoming Apple operating systems, iOS 18, iPadOS 18, and macOS Sequoia; the “one version old” previous operating systems might still get patches, but will be significantly less safe to use, and significantly more vulnerable to exploitation.
Many people assume that an iPad, if it hasn’t been damaged, should last for four to five years, if not longer. Recent data shows that 40% of people have iPads that are more than three years old, and this suggests that many iPads are probably used for more than five years. The iPad is the ideal device to hand down to family members or pass on to friends when it’s replaced; trade-in values for old iPads are generally low, and most iPads don’t offer cellular access, and don’t require data contracts. An old iPad is a handy device to use on Wi-Fi for casual web browsing, email, and simple games.
In order to get the maximum value out of an iPad purchase, it makes the most sense to buy new models when they are first released, or shortly after that time. This will help ensure that you get as many years as possible out of your purchase (as we will continue to explore further in this article). The main thing to know is that when you buy a brand-new model, you can rest assured that it will get the maximum number of years of major new iOS releases—and that means the maximum number of years of security updates, too.
In late 2023, Apple filed a regulatory document in the UK stating that they would provide updates for a minimum of five years from the date of first sale. This means that an iPad first sold in September 2023 would be guaranteed to get security updates until at least September 2028. In June 2024, Apple announced the release of iPadOS 18 and stated that devices as old as the iPad Air (3rd generation) and the iPad (7th generation) would be able to run the new operating system. These devices were released in 2019, so that means that they will effectively have at least six years of updates, until the release of iPadOS 19—which they may or may not be able to run. So, in practice, Apple is offering more than five years of updates from the initial date of sale.
The above chart can seem confusing because of Apple’s naming convention for the iPad. Unlike with the iPhone, whose name increments each year, it can be difficult to remember which iPad you have; you can find its name in Settings > General > About. It looks like, going forward, iPad names will contain the processor (M2, M4), which could help make this clearer in the future.
According to Apple’s own statistics (as seen in the chart below), as of June 2024, 17% of all iPads were still running iPadOS 16, which means their operating system was nearly a year out of date.
And worse yet, an additional 15% of all iPads were running a version of iPadOS older than iPadOS 16; meaning their operating system was more than three years old. Many of these may be devices older than those able to run iPadOS 16, but some may also be devices whose owners have simply not upgraded, for a variety of reasons.
In total, 32%—nearly one-third—of all iPads were running an outdated operating system, and susceptible to being exploited with known vulnerabilities.
And if we just focus on iPad models introduced in the past four years (all of which are iPadOS 17 compatible) 15% of them were still running iPadOS 16, and an additional 8% were running something older than that. On the surface, that means that nearly 1 in 4 recent iPads are running an old, outdated, and insecure operating system.
Interestingly, these numbers—even the percentage of recent devices running the current operating system—are different for the iPhone. For some reason, people are less likely to update their iPads than their iPhones, which makes iPads, in general, less secure than iPhones, and could make them a better target for hackers and cyber-criminals. (See our related article: When does an old iPhone become unsafe to use?)
If we were able to dig deeper into which specific versions of iPadOS users were running, we would likely see that even amongst iPadOS 17 users, relatively few are installing every iPadOS update quickly and staying fully patched at any given time.
If you’re thinking about buying an old iPad model, or a refurbished unit, beware that its safe lifespan is limited. The same is true if you hand an iPad down to a family member; it’s important to ensure that the model in question will still get major iPadOS updates for as long as it is used.
Unlike with the iPhone, where Apple always sells one or two older model iPhones, still new in box, alongside the latest model, the company only sells current model iPads. However, some of the current models may have been around for a long time. As of June 2024, Apple is selling the iPad mini (6th generation), which was released in September 2021. Apple’s five-year commitment to issuing updates is based on when a device was first sold, not the date you buy it; this means Apple only guarantees that the current iPad mini will get updates through September 2026. After that date, there is no guarantee, and you could buy an iPad now that will stop getting updates in just over two years, making it insecure.
What about refurbished iPads?
Apple also sells some refurbished iPads. As of today, the oldest iPad that is currently listed on Apple’s website is the iPad Air (4th Generation), in both the U.S. and UK stores. This model will be able to run iOS 18, but it’s entirely possible that come iOS 19 in fall 2025, Apple may no longer support it. Released in October 2020, Apple’s five-year guarantee runs out in October 2025. In theory, this means that you could potentially buy an iPad Air (4th Generation) directly from Apple that may only be safe to use for between one and two years before it no longer receives security updates.
This is not as bad as Apple selling the Apple Watch Series 3 new after it had stopped getting security updates; it was unconscionable to sell a device that had already been cut off. Apple even continued to sell the Apple Watch Series 3 refurbished for eight months after its final security update.
You can buy used, refurbished, or even (ahem) “new” older iPad models from many sources; Amazon sells them, eBay sellers always have plenty of stock, and mobile carriers’ stores may sell them as well. If you look on eBay, you’ll find plenty of refurbished iPad Air 2 models, selling at very low prices, but this device can only run up to iPadOS 15, which gets no updates. The same is true for the iPad (5th generation), which only supports iPadOS 16, and is not likely to get any updates starting in the fall of 2024 when iPadOS 18 is released. Early iPad Pro models are at risk: the 9.7“ versions won’t run iPadOS 17, and the 10.5” model is dropped from support by iPadOS 18.
You may think you’re getting a good deal by buying an old iPad at a super discount, but doing so may put you at risk. It may either have already been cut off from the latest major iPadOS version, or it may soon lose that benefit a few months from now, or in a little over a year; that means you could be cut off from some important security updates.
Unlike with the iPhone, most people don’t upgrade their iPads often. Buying an older model to save money can certainly be tempting, but it’s important to be aware that if you buy one that is more than a couple of years old, it may end up becoming unsafe before you know it. Even if you buy it from Apple.
So when is the best time to buy? If you want to get the maximum lifespan out of your iPad purchase, buy it when the model is brand new. Unlike the iPhone, which is on an annual upgrade cycle in the fall each year, iPad upgrades are more sporadic. For example, in May 2024, Apple upgraded the iPad Air and iPad Pro. The previous upgrades to these devices were in March 2020 (iPad Air) and October 2022 (iPad Pro). Over time, most iPad models see upgrades between around 18 and 24 months, with one exception being the iPad mini, which, as of June 2024, is approaching three years since its last upgrade (September 2021).
For more or choosing an iPad, see our article: Which iPad Is Best for You in 2024?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security, and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
Header graphic credits: “Stairway To Heaven?” landscape image by Richard Walker (CC BY 2.0); cane via Twemijo 12.1.6 (CC BY 4.0); beard by OseBoi (free); glasses by Clker (PD); compilation by Joshua Long for Intego.