We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

31 Jul 2020

Why some second-hand phones could be a security risk

We found nearly a third of second-hand mobile phones on some retailer sites may no longer be receiving security updates

A refurbished mobile phone is a more sustainable and cost-efficient alternative to buying new. But a Which? investigation shows that you may be purchasing a device that's no longer being supported with important security updates, and is more vulnerable to hackers.

We looked at three popular mobile phone retailers and on CeX - the worst affected, 31% of the models being resold were no longer supported with security updates from manufacturers.

When approached with our research, both Music Magpie and SmartFoneStore agreed to do their part by warning people before they buy a mobile phone that isn't getting updates. Music Magpie also pulled all the affected models from sale.

We look at which popular mobile phones are out of support and how inadequate update policies will have detrimental effects on the environment.

We update our reviews when a phone is no longer receiving security updates. Browse our mobile phones reviews to see if your next purchase is affected.

Mobile recycling companies stocking out-of-support phones

An online survey of 1,251 Which? members conducted in May 2020 revealed that 62% of people think that a mobile phone is broken down for parts when it's sent to recycling companies. Our investigation reveals that in most cases, these phones are refurbished and resold.

While this is an effective sustainable solution in preventing phones from being improperly disposed of or living out the rest of their existence unused in a kitchen drawer, with such short update cycles on some Android mobile phones, people may be purchasing devices that aren't secure.

We investigated three of the biggest mobile phone recycling companies in May 2020 and found that all of them were reselling models that are no longer scheduled by manufacturers to receive updates.


SmartFoneStore operates under the CMR Ltd umbrella which also owns the recycling company, Fonebank. After investigating the models being sold by its second-hand retail arm, we found that 17% of them, including the Google Pixel XL, Huawei P10 and Samsung Galaxy S7, were no longer supported (10 out of 59).

Following our investigation, SmartFoneStore has issued an update (shown above), adding a warning on unsupported devices so people are aware before they buy them.

Music Magpie

Music Magpie made a name for itself for buying physical media but it's now one of the most well-known second-hand tech retailers. Our investigation found that 20% of the models on Music Magpie's site were no longer supported (16 out of 82). This list includes the Apple iPhone 5, Samsung Galaxy S4 and Huawei Mate 10 Pro.

When we approached Music Magpie with our research, all the affected devices were removed from sale. Its Chief Commercial Officer Jon Miller stated that these devices account for less than 1% of its stock and sales but they want to 'provide the correct messaging and advice to customers where these devices are listed'.


Almost a third (31%) of the models on the popular high-street retailer's site were no longer supported. Some of the phones that were for sale included the Apple iPhone 4S, Samsung Galaxy Note 4 and Motorola Moto G (3rd Gen).

We contacted CeX for a comment on these issues but did not receive a reply.

Which popular phones are no longer being updated?

Typically, mobile phones running the Android operating system will receive two years of operating system updates and three years of security updates. Updates issued to Apple iPhones usually package system and security updates together and, on average, you'll receive these for 5-6 years.

However, despite these industry averages, there are examples of mobile phones such as the Huawei Mate 10 Pro, which uses Android, that was delisted from Huawei's security updates page only 28 months after its release.

One of the easiest ways to find out whether your mobile phone is still receiving updates is to check the manufacturer's security updates page. These pages are regularly updated so if your phone isn't listed, it's most likely that it's not supported anymore. Here are some popular mobile phones that are not receiving any more updates:

  • Apple iPhone 5 - launched u200eSeptember 2012
  • Google Pixel XL - launched October 2016
  • Huawei P10 - launched March 2017
  • Samsung Galaxy A8 Plus (2018) - launched January 2018
  • Samsung Galaxy S7 - launched March 2016

Check out our guide to the best deals on mobile phones if you're on the lookout for a new model.

Phone manufacturers must do more

The lack of robust, sustainable solutions for the disposal of mobile phones is an ongoing concern.

With effective options in place to resell pre-owned devices, the potential is there to prolong their lifespans. But until manufacturers offer complete transparency about how long devices will be supported, and commit to supporting devices for longer, it is more difficult to take advantage of these services without putting consumers at risk.

Our advice is to do your research before you buy - and avoid buying any phones that are no longer receiving security updates. If you own a phone that isn't being updated, you should consider upgrading and be mindful of the risks. Follow the steps below to minimise the chance of issues until you purchase a new phone.

Three tips to stay safe with an old phone

While the tips below are important to mitigate the risks with older devices, it's all good practice even if you're using a new phone.

Manage app permissions

It's common for apps to ask for permissions to access personal data such as your contacts or location. But if an app is requesting seemingly unrelated information, that's a red flag. A basic calculator app has no reason to read your memory card.

Avoid apps from unofficial stores

Mobile phones that aren't receiving security updates are the perfect target for dodgy apps. Stick to downloading apps through the official Apple Store (iOS) and Google Play Store, because these apps go through a verification process. Apps from other stores may appear legitimate but are in fact lookalikes containing malware.

Learn to recognise phishing attacks

Double or even triple-check emails and texts that you receive from companies to spot telltale signs of phishing such as misspelt URLs or poor grammar. If in doubt, don't click on the link they provide and contact the company separately through official channels.

For more tips and advice, read our detailed guide on mobile phone security.