Site icon The Mac Security Blog

When does an old iPhone become unsafe to use?

Some people upgrade to a new iPhone every year, to get the latest cameras or other features. But if you’re like most people, you keep your phone for several years before upgrading to a newer model. Perhaps you mainly use your iPhone for the basics, or feel that as long as it isn’t broken and the battery still holds a charge, there’s no real reason to upgrade. (In fact, Apple will even replace the battery for you at a reasonable price, if yours has lost too much of its capacity.)

However, you might not be aware that there’s a real danger in using an iPhone for too long. Specifically, if an iPhone can no longer run the latest version of Apple’s iOS operating system, it will miss out on a lot of critical security updates. Vulnerabilities that remain unpatched can put you at risk.

In this article, we’ll explain in greater detail why using an old iPhone can be dangerous, and which iPhone models are safe to buy in 2024. (See also our articles about when old Macs become unsafe to use and when old iPads become unsafe to use.)

The risk of not getting security updates: zero-day and zero-click exploits

Apple regularly issues security updates for all its platforms, and some of these updates patch “zero-day vulnerabilities”—serious flaws that have already been actively exploited in the wild. This means that they’re not merely theoretical vulnerabilities; any device that doesn’t get updated is at risk of becoming compromised (hacked) by threat actors. Most users don’t think much about this, but there is a real danger to not getting security updates for your iPhone.

Zero-click vulnerabilities

The most serious of these are known as “zero-click” vulnerabilities. This type of vulnerability exploits weaknesses in the operating system to compromise devices without the user doing anything at all. You don’t have to get tricked into launching an app or tapping on a link to a website. Many of these exploits take advantage of vulnerabilities that occur when, for example, a preview of a webpage or document is displayed in the Messages or Mail apps. In fact, zero-click exploits can even infect your device when it’s completely locked, just sitting there on your Lock Screen.

It is well known that the NSO Group’s Pegasus spyware has used zero-click exploits in its arsenal of attacks. These has been used in targeted attacks against the iPhones of politicians, journalists, and activists. Most of these attacks attempt to compromise devices belonging to specific people in order to gain intelligence.

Most average users don’t necessarily have to worry about Pegasus or similar nation-state spyware, per se. However, eventually the details about the vulnerabilities used by Pegasus and other spyware will come to light. Apple gives some minimal details about most of the vulnerabilities it patches. Moreover, savvy experts are able to reverse-engineer Apple’s patches to see exactly how a vulnerability was fixed—and how to exploit it on unpatched devices.

In other words, today’s nation-state attacker’s vulnerability could become part of tomorrow’s everyday cybercriminal’s arsenal. And at that point, if your iPhone or other Apple devices are not up-to-date, then you are at risk from more widespread attacks.

WebKit vulnerabilities affect all iOS browsers

Some vulnerabilities that Apple patches in its security updates involve WebKit, the rendering engine used by the Safari Web browser. In fact, as of September 2024, all third-party browsers on iOS and iPadOS use WebKit; Apple’s App Store policies prohibit browsers like Firefox and Chrome from bringing their own engines. (Technically, the EU is exempt from that restriction, but developers have not yet exercised the option to distribute non-WebKit versions of their browsers for iPhone or iPad.)

Not having a fully up-to-date iOS version means that your iPhone could be compromised by simply browsing to a hacked or malicious site, or even when you view a malicious email with embedded rich Web content.

Apple’s patching policy provides a false sense of security

Apple regularly issues security updates for the current operating systems of all its devices. They occasionally issue security updates for the previous versions of their operating systems, but it’s important to be aware that updates for older Apple OS versions don’t patch all vulnerabilities. (In certain cases, some vulnerabilities patched in today’s operating system might not have existed in last year’s operating system, but perhaps more often than not, Apple simply chooses not to back-port a patch.)

Continuing to use the previous operating system version any Apple device on can be risky. Running an Apple device on an operating system older than the previous one is even more dangerous, because Apple has, in many cases, almost completely (or completely) stopped issuing updates.

Unfortunately, Apple doesn’t make this transparent to users. If you’re still using an iPhone 8 or X today, for example, your device cannot run iOS 18—but you may recall getting an iOS 16 update pushed to your device just months ago. Unless you read The Mac Security Blog, you’re probably blissfully unaware that iOS 16 isn’t fully patched, which means it’s much less safe to use than iOS 18. Literally dozens of vulnerabilities currently remain unpatched for iOS 16. (And, in case you’re wondering, iOS 17 isn’t far behind. All devices that are compatible with iOS 17 can—and should—be upgraded to iOS 18.)

Put more bluntly, Apple gives a false sense of security by providing an incomplete set of patches to the “current minus one” OS, leaving users vulnerable but thinking they’re protected. The same goes for previous iPadOS and macOS versions as well. Based on Apple’s history over the past several years, we have every reason to expect that this will continue to be true throughout the lifespan of the current operating systems: iOS 18, iPadOS 18, and macOS Sequoia; the “one version old” operating systems might still get some patches, but will be significantly more vulnerable to exploitation—and therefore much less safe to use.

When should you upgrade your iPhone?

Many people assume that an iPhone, if it hasn’t been damaged, should last for several years. The age at which people have traded in iPhones has increased in recent years, and now the average trade-in age is nearly three and a half years. But this statistic masks the fact that many people don’t trade in old phones; they may keep using them for many years longer than that, or they may pass them on to family members or friends. And remember that that’s just the average; while some people upgrade yearly, others wait five, six, or seven years or longer before buying a new iPhone.

In order to get the maximum value out of an iPhone purchase, it makes the most sense to buy new flagship models when they are first released, usually in the fall of each year. (Note: Apple’s flagship iPhone 16 line began shipping on September 20, 2024; see our guide to how to choose the right iPhone for you.) Buying an iPhone as soon as new models come out will help ensure that you get as many years as possible out of your purchase (as we will continue to explore further in this article). The main thing to know is that when you buy a brand-new model, you can rest assured that it will get the maximum number of years of major new iOS releases—and that means the maximum number of years of security updates, too.

Which devices can run the latest version of iOS?

For many years, Apple ensured that old devices were able to run the latest version of iOS. You could have bought a new iPhone in late 2015 that was still getting security updates seven years later. Until iOS 16, which was released in late 2022, you could still run the latest version of iOS on an iPhone as old as the iPhone 6S. In fact, the iPhone 6S had been the cutoff for devices supporting the latest version of iOS since iOS 13 (see the chart below).

In late 2023, Apple filed a regulatory document in the UK stating that they would provide updates for a minimum of five years from the date of first sale. This means that an iPhone first sold in September 2024 would be guaranteed to get security updates until at least September 2029.

In June 2024, Apple announced the release of iOS 18, and stated that iPhones as old as the iPhone XS and iPhone XR (and, in fact, all models that supported iOS 17) would be able to run the new operating system. These devices were released in late 2018, so that means that they will effectively get at least seven years of updates after these models first shipped. (They may or not be able to run iOS 19; we won’t know until it’s announced in mid-2025.) So, in practice, Apple is currently offering more than five years of updates.

Many iPhone users don’t buy immediately after a new model comes out; some may wait until the early-fall sales in anticipation of the next model’s release, to save a bit of money. This isn’t necessarily a great idea from a security perspective, if you want to maximize the number of years you can safely get out of that device. But most people are completely unaware of this.

A chart detailing the compatibility of iOS versions with iPhone models, from iOS 12 through iOS 18

Apple admits that 1/4 of users aren’t running the current major iOS version

According to Apple’s own statistics (as seen in the chart below), as of June 2024, 14% of all iPhones were still running some version of iOS 16 (the “current minus one” release at the time)—which means their operating system was effectively at least nine months old; iOS 17 came out in September 2023.

And worse yet, an additional 9% of all iPhones were running a version of iOS older than iOS 16—meaning their operating system was effectively about two years old or older. Many of these may be devices older than the iPhone 8, 8 Plus, or X, which were able to run up to iOS 16, but some may also be devices whose owners have simply not upgraded iOS, for a variety of reasons.

In total, 23%—nearly one fourth—of all iPhones were running an outdated operating system, and susceptible to being exploited with known vulnerabilities.

As an aside, even if we focus on just the iPhone models introduced in the past four years—all of which were iOS 17 compatible (and are now iOS 18 compatible as well)—11% of them were still running iOS 16, and an additional 3% were running something older than that. On the surface, that means that nearly 1 in 7 recent iPhones are running a very old, outdated, and insecure operating system.

Of course, if Apple had given us the data to dig deeper into which specific versions of iOS users were running (e.g. 17.5, 17.4.1, etc.), we would probably see that even amongst iOS 17 users, only a subset were actually installing every iOS update quickly—and staying fully patched—at any given time.

iPhones no longer supported by iOS 18

Only the iPhone XS and XR or later (which includes the iPhone SE 2nd gen, iPhone 11, and more) can run iOS 18. These are the same models that could run iOS 17.

Unlike macOS with OpenCore Legacy Patcher, there’s no third-party solution to run newer iOS versions on unsupported iPhones. If you have a model that can’t run iOS 18, your only option is to buy a newer iPhone if you want security updates.

Think twice before buying an old model—no matter how good a “deal” it may seem

If you’re thinking about buying an old model of iPhone, or a refurbished unit, beware that its safe lifespan is limited. The same is true if you hand an iPhone down to a family member; it’s important to ensure that the model in question will still get major iOS updates for as long as you plan to use it.

Apple always sells one or two older model iPhones, still new in box, alongside the latest model. (For example, Apple currently sells the full iPhone 16 lineup, as well as iPhone 15 and 15 Plus, and iPhone 14 and 14 Plus. If we look at refurbished units, Apple is even still selling iPhone 13 models.) From Apple’s perspective, this is a good way to reach a lower-income or more price-conscious audience, by offering iPhones that are less expensive than the newest ones.

Apple is also selling the iPhone SE (3rd generation), which is the least expensive “new” model. It’s actually more than two and a half years old, but a 4th-gen model hasn’t been announced as of when this article was last updated.

(See our iPhone buyers guide to choose which model is best for you.)

What about refurbished iPhones?

As we touched upon, Apple also sells some refurbished iPhone units. As of today, the oldest iPhone models that are currently listed on Apple’s website are from the iPhone 13 line, in both the U.S. and UK stores. The iPhone 13 line was released in September 2021, and can run iOS 18. These models will probably be able to run iOS 19 as well (which will presumably be released in fall 2025, and be fully patched until fall 2026).

But what about after that? Based on Apple’s commitment to the UK, Apple could choose to drop support for this model as soon as fall 2026. In theory, this means that you could potentially buy an iPhone 13, directly from Apple, that may only be safe to use for two years before it no longer receives full security updates. (On the other hand, in recent years Apple has tended to support new iOS versions on iPhone models for six or seven years after their first sale date, so you might not get cut off until as late as fall 2028. Only time will tell.)

This is not as bad as Apple selling the Apple Watch Series 3 new after it had already stopped getting security updates; it was unconscionable to sell a device after it had been cut off. Apple even continued to sell the Apple Watch Series 3 refurbished for eight months after its last comprehensive security update.

Should you buy a used, refurbished, or “new in box” older model of iPhone, from a third party?

You can buy used, refurbished, or even (ahem) “new” older iPhone models from many sources; Amazon sells them, eBay sellers always have plenty of stock, and mobile carriers’ stores may sell them as well. If you shop around, you’ll likely see iPhone X models, and even older. You may think you’re getting a good deal by buying an old iPhone at a super discount, but doing so may put you at risk. It may either have already been cut off from the latest major iOS version, or it may get cut off roughly a year from now—and that means you could start missing out on important security updates.

What about the iPhone SE?

The current model of iPhone SE (3rd Generation) was released in March 2022, just over 2.5 years ago, as of when this article was last updated. New iOS versions are typically released around September. It’s a fairly safe assumption that, based on Apple’s past practices and statement to the UK, this model is likely to get at least 2.5 more years of major iOS upgrades, and might theoretically get up to 4.5 more years.

A “brand new” third-generation iPhone SE from Apple starts at $429. If you shop around, you might even find a new one for as little as $200. (In fact, it’s often thrown in for free when activating new service or when adding a new line.)

So while you’ll get fewer years of security updates if you buy a 3rd Gen now, it’s also cheap enough that you can more easily replace it when it eventually does get cut off from security updates. Or, if you aren’t in a rush, you could wait until the 4th Generation model comes out; there’s a decent chance that it may come around spring 2025.

Key takeaways

Not everyone can afford to buy a brand new iPhone model every few years, but it isn’t really necessary to. Buying an older model to save money can be tempting, but if you tend to use the same iPhone for many years, beware that it won’t get security updates for as many years as a new model will.

When is the best time to buy? If you want to get the maximum lifespan out of your iPhone purchase, buy it when the model is brand new—as soon as the new flagship model comes out, which is usually in the fall. If you want to keep using an iPhone for as many years as possible, avoid buying models that are already more than a year old; these models will get cut off from major iOS upgrades sooner than newer devices, which will make them unsafe to use in a shorter timeframe.

If you’re on a tight budget, consider getting the latest model of iPhone SE; although it’s old, the 3rd generation is still the latest as of when this article was last updated. You might even be eligible to get an SE for “free” (bundled with a monthly service contract) from a mobile phone carrier. Given that Apple’s still selling it for the same $429 as when it was brand new 2.5 years ago, if you need to buy one, you can save a substantial amount of money by shopping around for a new-in-box sealed unit from a third party.

How can I learn more?

You may also be interested in Intego Chief Security Analyst Josh Long’s FAQ thread on 𝕏/Twitter addressing common misconceptions about iPhone security updates (click to read the full post and thread):

If you use an iPad, check out our related piece, When does an old iPad become unsafe to use?

When does an old iPad become unsafe to use?

And if you’re a Mac user, see also our related article, When does an old Mac become unsafe to use?

When does an old Mac become unsafe to use?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

Header graphic credits: iPhone X image by Rafael Fernandez (CC BY-SA 4.0); “Stairway To Heaven?” image by Richard Walker (CC BY 2.0); cane via Twemijo 12.1.6 (CC BY 4.0); beard by OseBoi (free); glasses by Clker (PD); compilation by Joshua Long for Intego.

Share this: