We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

1 Jul 2021

Almost half of mobile phone contracts could leave consumers with an insecure device

A lack of transparency over security updates could leave you with an unsupported phone within a year of a new contract

Four in 10 people believe a mobile phone will receive crucial security updates for the length of their pay monthly contract*. But Which? research found that nearly half the smartphones available on contracts could lose support before you've finishing paying them off.

We looked at all the new phones available on contract from Carphone Warehouse, EE, Mobile Phones Direct 02, mobiles.co.uk, Three and Vodafone in mid-June 2021.

On average, 48% of these contracts were on phones that we suspect could be out of support before the end of the contract period, and 13% could lose update support less than a year in.

Head to all our mobile phone reviews to compare the latest handsets to go through our test lab.

Video: Why security is important on a smartphone

Find out if your phone is still protected, and what to do next.

How a mobile phone contract could leave you with an unsupported phone

When you buy a phone on a pay-monthly plan, there are no guarantees that its security support will last the length of your contract, or even past the first year.

This is especially the case on longer contracts. On O2, 73% of phones we looked at will lose support before the end of a 36 month contract period - the maximum duration of its O2 Refresh plan.

But even on more typical 24 month contracts, many phones were at risk. 52% of models available on contract at Carphone Warehouse could lose support before the contract ends. We also found 50% of models at mobiles.co.uk, 50% at Vodafone, 40% at Three and 33% at EE that could be similarly affected.

Out of support in less than a year

The risks of using a phone that has just fallen off the update cycle are small, but they increase the longer you wait. That's why we're concerned to see phones that will lose support less than a year into a contract on sale - 21% of phones for O2, 19% for mobiles.co.uk and 18 for Carphone Warehouse could lose support less than 12 months after your contract begins.

Popular models that could be affected include:

  • Motorola G8 Power - sold by mobiles.co.uk and Vodafone
  • Oppo Find X2 Lite - sold by EE, Mobile Phones Direct, mobiles.co.uk, O2 and Vodafone
  • Samsung Galaxy S9 - sold by Vodafone and recently having lost its Which? Best Buy status because it could have less than a year of support left.

Why security updates on mobile phones matter

Mobile phone security

The wealth of data your phone holds makes it an enticing prospect for hackers. They can exploit the small holes that appear in the software over time, using them to plant malware on your device - so a phone that's still able to be patched to fix these issues is important.

Consumers agree. Seven in 10 (69%) said that they would be concerned if their phone was no longer receiving security updates.

You're unlikely to have your phone hacked as soon as it falls off the update cycle, but the risks increase the longer you leave it, so we recommend upgrading as soon as you can. Our guide to smartphone security has some tips to make your phone more secure to tide you buy a new handset.

Read why Which? is removing Best Buys from phones with less than a year of support, and how our Security Notice can help warn you of at-risk devices.

How to buy a smartphone that will last

As our research on contract providers shows, it's easy to pick a phone with a limited shelf life. However, Which? can help you to choose a longer-lasting handset.

Use our smartphone security tool to search the phone you're thinking of buying.

Our calculator reveals how much longer we suspect a phone will have before it falls off the manufacturer's update list.

How to manage security on a smartphone

There is work to be done across the board to improve update support periods and transparency with mobile phones - but there are things you can do to help ensure you are not left out in the cold by the manufacturer.

  • Check support periods before you buy. Some Android phones can lose update support in a little over two years from launch, Apple iPhones last more than five. Use Which?'s phone support calculator to see how long a phone has left, and remember support starts from the launch of the phone, not when you buy it.
  • Avoid downloading apps from third party app stores. Stick to official app stores, where apps have undergone checks to make sure they are legitimate. This does not guarantee an app is safe, but vastly reduces the risk. This is especially important if your phone is no longer supported.
  • Check permissions. When you install an app, check what permissions it is asking for, and think twice if some seem unusual. Make use of Apple and Android permission control options too, such as choosing that an app can only access your location when it is being used.
  • Keep devices updated. Download any security patches as soon as they are available, or if there is an option to download and install automatically, make sure it is turned on.

Contract retailers respond

EE disputed seven phones in our analysis and Three disputed eight, stating that manufacturers had confirmed support for the handsets, in contrary to our findings. Vodafone also believes that 'support generally extends beyond the timeframe' in our research.

Dixons Carphone (owner of Carphone Warehouse and mobiles.co.uk) said it would welcome clearer communications from manufacturers around mobile phone security that it could pass on to its customers.

Mobile Phones Direct stated its intention to work with brands to raise consumer awareness of the need to adopt the latest updates, and O2 told us that should manufacturers make one-off updates available outside of the set lifespan, they would work with them to help deliver these patches to their customers.

Samsung and Motorola both stated their commitment to customer satisfaction and security, but Oppo did not wish to comment.

Smartphone manufacturers must do more

Contract providers could do more to make consumers aware of security updates when they sign the paperwork, but the ultimate responsibility for this issue lies with the brands.

A lack of transparency in the industry makes it difficult to know exactly when a phone will fall off the update cycle. Short support periods are a big issue too -whilst some brands like Samsung and Apple offer more than four years of updates, some languish on just two years. That period begins from the phone's launch, not when you buy it, so if you choose a brand like Honor, Motorola, Realme or Xiaomi on a 24 month contract, you'll inevitably have some period of time out of support.

Which? is calling on smartphone brands to provide:

  • At least five years of software and security updates across all devices from point of release, regardless of popularity or cost.
  • In-device notifications about when update support will cease, so that consumers can make more informed decisions about next steps.
  • More regular update support from when manufacturers are first made aware of patches, particularly for those using the Android operating system.
  • Greater clarity about actual updates policies at time of purchase, and on a publicly available website, so consumers are fully informed about update provision before they buy.

*according to a survey of 2,084 UK adults online in June 2021. Data was weighted to be representative of the UK population by age, gender, region, social grade, tenure and work status. Of this sample 1,985 people owned a smartphone and answered the survey questions.