We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

19 July 2021

Mobile phone security: why phones over two years old could be a risk

If you're using a phone that's over two years old, it may no longer be receiving security updates. Follow our advice to help stay safe
Louise Muyanja

Over time, Android and Apple's iOS have evolved to keep up with new security threats that put your personal information at risk. But if you're still using a smartphone that's been left behind by the manufacturer, you're a much easier target.

Some Android phones stop receiving security updates after just two years. Apple iPhones last longer, at five to six, but after these timescales there's an increased risk to using the device.

Our phone support calculator below, and advice on smartphone best practice, can help.

You can also check the tech specs section in our mobile phone reviews to see security update information for every phone we test.

Video: is your phone at risk?

Find out more about mobile phones and the importance of security updates.

Which? phone support calculator

Use the search box below to find out if the phone you own is still supported, or how long you can expect support for with a phone you're looking to buy. 

These support periods are based on our own estimates and research into typical manufacturer and device-specific support. If you're using a phone that's no longer being updated, you should consider upgrading. Until you do, the following advice will help mitigate the risks.

Avoid apps from unofficial app stores

Most apps you download will probably be from the official Google Play Store or Apple App Store. However, you might find yourself in a situation where you're tempted to shop elsewhere.

What's the risk?

Google tests every app before it's allowed into the Play Store – Google's own repository that currently offers a selection of around 3 million apps.

That should be enough for almost anyone, but you might find yourself tempted to install apps from outside Google Play from time to time. It may be for a legitimate reason – the popular game Fortnite and, until recently, Amazon’s Prime Video app had to be 'sideloaded' – the process of allowing apps Google hasn't verified to be installed onto your phone.

While there's less risk of doing this with apps produced by established developers, the problem with many other unverified apps is that it's often difficult to tell how legitimate they are, or if they could be hiding malware designed to compromise your device. 

There's another notable risk of downloading from unofficial stores – lookalike apps. These are created to look exactly like a legitimate app, but are actually copycats that could contain malware or bombard you with advertising. 

How can I avoid it?

Quite simply, avoid installing apps that aren't on Google Play – which shouldn't be too difficult given the wide selection available.

If you do want to download such an app, you'll have to disable Android's built-in controls preventing unofficial apps from being installed. Depending on which version of Android you're using, always manually re-enable the ‘unknown sources’ block in your Android settings after you’re finished (this is done automatically in newer Android versions). 

Be wary of lookalike apps, which can be difficult to discern from the real thing. Differences can include a slightly altered design on a logo, an unrecognised developer, or evidence of fake review activity – such as an unusually high number of five-star reviews. 

What's being done to fix it?

Google introduced Play Protect in 2017, essentially a malware scanner that adds an extra layer of protection by scanning any apps that are installed on a mobile phone – even those that come from unofficial app stores. 

Play Protect isn't flawless, however. Illegitimate apps have been known to slip through the cracks, although Google usually acts quickly to remove them and, if necessary, to provide a security update. It's another reason why a mobile phone that has the latest updates is more secure – but despite these instances, we'd still recommend sticking to the official app store when downloading apps.

Be selective with apps you download

There's a seemingly endless array of apps available to download and use, but while it is advisable to stick to the official app store, it's not a magic bullet.

Apps that contain malware do occasionally make their way onto  official stores and are usually detected and removed by Apple or Google, but that's not much comfort to those who have already downloaded them.

There's no hard and fast rule on apps to avoid, but they often take the form of accessories or customisation tools – think free wallpapers, video or photo editors, file managers, games and tools like a QR reader or flashlight.

If you're looking for an app like this, try and stick to those with plenty of reviews, that have been around for a while, and are from a reputable developer. All of this information should be available in the detailed app information on the store.

You should also try to avoid hoarding apps – if you're not using one, delete it.

Manage your app permissions

App permissions control what parts of your phone an app is allowed to access – such as using your location to pinpoint your position on a map. Some apps have been known to ask for a few too many privileges, however. Select one of the options below to find out more about each permission.

An app may access either your precise or approximate location using a range of technologies, such as GPS. 

You probably have your phone with you at all times, so you shouldn’t lightly give an app permission to know your location. Manage this one carefully.

An app can use your device's address book, which may include the ability to read and modify your contacts.

A lot of apps want to access your contacts. This can be legitimate, but can also be an attempt to market its services further afield. Deny if you aren’t comfortable with this.

An app can use your device's calendar information, which may include the ability to read calendar events and possibly add or modify them, too. 

There’s a lot of private information in your calendar, not to mention details of your whereabouts for weeks and months ahead. Make sure the app justifies its access before giving it.

You wouldn’t let just anyone browse through your private messages or texts, so don’t give some company permission without it giving a good reason why.

It is very unlikely that an app would turn your phone into a spy-style listening device. But if there’s no clear need to give access to the microphone, don’t.

An app may want to access the photos and files stored on your device. For example, a social network may need to access your camera roll in order to enable you to share your photos with other users. If the justification for access seems spurious, however, don't allow it.

Allows the app to access data from wearable sensors, such as heart rate monitors. This could be used to give you advanced tracking information, such as with a fitness app. 

As the sensor information gathered can be very detailed, however, be careful which apps are given access.

What's the risk?

One common way that illegitimate apps could create havoc on a mobile phone is through abusing these permissions. For example, a form of malware called Joker or 'Bread' was found on seemingly innocent apps relating to, among other things, photo enhancement or wallpapers for your phone. The app would ask for potentially dangerous permissions, such as access to your location, contacts, call logs or text messages. It could then subscribe to a premium service and automatically confirm payments by intercepting an SMS message, adding recurring charges to a user's phone bill.

In this example, a user may well have questioned why an app that's simply offering a range of new wallpapers or screensavers for a phone would need access to their contacts or text messages.

How can I avoid it?

Carefully consider what permissions an app would reasonably need to run properly, and whether you should grant them. Depending on which version of Android you're using, this is handled in different ways – you may be asked to approve permissions when the app is downloaded or run. 

Most of the time, the permissions the app is seeking will make sense and don't pose a security risk. Google Maps will request location access so it can provide turn-by-turn navigation, while Skype needs access to your microphone so you can make calls – this makes sense.

But if you download an app that's requesting seemingly unrelated information, that's a red flag. A basic calculator app shouldn't be asking for permission to read your storage card or your microphone, for example. Tread carefully – a malicious app could use the permissions you've given it to change your lock screen password and demand a fee to unlock it again.

What's being done to fix it?

Android has been evolving to address this issue. On Android 5.1.1 or earlier, apps will ask you to grant all permissions during installation. Often permissions will be shown in a long list that most users are unlikely to understand or in some cases, read at all.

However, when Android 6.0 was introduced in 2017, a new permissions system called 'Runtime permissions' came with it. With this, you're no longer notified of any app permissions when you install an app. Instead, every app will ask you to grant it permission when it starts running, so you have more control over the data you share and you can make the choice to reject permissions if you don't want to grant it. 

Since the arrival of Android 10, users have been able to grant specific permissions to an app only while it's in use. This could, for example, prevent an app from tracking your location in the background. 

However, despite these clear improvements, it's ultimately the user who is in control, and so must remain vigilant and consider the sorts of issues described above when installing and running apps.

Know how to recognise phishing attacks

Phishing is the act of pretending to be a legitimate company to elicit valuable information, and it has now evolved to target smartphone users with increasingly clever tactics.

What's the risk?

When you hear the word 'phishing', you might think of spam emails from fake companies. These will typically appear to be genuine, and tempt you to enter sensitive information that can then be used by hackers.  

Recently, variations including smishing (phishing via text) and vishing (voice phishing that happens over the phone) have become popular ways to target mobile phone users.

For example, a victim of smishing may receive a text message that appears to be from their bank, prompting them to call a number and hand over their secure account information to address an issue with their account.

In our tests, we found vulnerabilities in the media libraries of older Android devices (specifically those running Android 5.1 and under) that could be exploited by phishing attacks. These attacks send media files to victims through MMS, or links in texts to malicious websites, to gain access to the device.

How can I avoid it?

Crucially, it's important to know how to detect and avoid a phishing attempt whichever form it takes. This is a common way in which malicious third parties can prey on individuals, and often no degree of security software or updates can help.

Fortunately it's quite easy to spot the warning signs with a bit of practice:

  • Mis-spelt URLs – check links by hovering over them, but don't click them. Look carefully, as they can often look quite legitimate, eg www.AM4ZON.com.
  • Sender email addresses. Even though the sender might appear as 'Facebook' or 'Paypal', look carefully at the actual email address. It it doesn't appear legitimate, be wary.
  • Be mindful of telltale signs in dodgy emails, such as poor grammar, logos that don't look quite right and vague titles like 'Dear customer'.
  • If you're concerned and want to double-check, log into the website in question through the company's official web address, or call them to confirm the issue.

What's being done to fix the problem?

Some vulnerabilities can be due to weaknesses in an  operating system, and Google does address issues with Android upgrades and security patches.

However, phishing attacks have become so sophisticated that learning how to detect and avoid an attempt yourself remains the best defence.

Consider antivirus apps

Even though Google Play Protect acts as protection against malware, you should still consider installing third-party security software, especially if your phone is no longer receiving security updates.

In the same way that antivirus software works for your computer, antivirus apps for your mobile phone are a cheap, and sometimes free, way to protect your phone. It can help to keep your personal data safe by scanning for malware and alerting you of any problems, including if you are visiting unsafe websites or if you download malicious apps. 

By ensuring that you are diligently installing security updates and using antivirus software, you're increasing your protection against any potential threats.

It's important to note that if you're using Android version 4.1 or below, you will have trouble finding security apps that are compatible with your mobile phone. In this case, as these phones will no longer be receiving security updates either, you should seriously consider upgrading.

Which antivirus software should I use?

There are free antivirus packages and you can also buy apps, which can cost anywhere from 99p to more premium versions that cost upwards of £20.

Some popular apps are listed below with a few of their features. These apps are free but have optional upgrades that you can pay for:

  • Avast - performs regular scans to find any threats or vulnerabilities and protects against malicious apps and infected links
  • Bitdefender - offers 'on-demand' virus scans and automatically scans any apps you install
  • McAfee - allows you to protect your photos in a private 'media vault' and its threat-scanning detects unsecured wi-fi hotspots

Read more about antivirus software and why it's important in our guide to the Best mobile antivirus software.

How to check your phone operating system version

How to check OS version on Android

As stated, the risk of using an older device generally increases the older it is. Mobile phones running a version of Android 4 and earlier (typically this will include models released around 2012) are at greater risk.

It's fairly easy to check which version of Android you're using, although it does vary by device.

  • Open the main 'Settings' menu on the phone.
  • Look for an entry that reads 'About phone' or similar, typically near the bottom of the menu.
  • You should see an entry that reads 'Android version', followed by a number. If you're a Samsung user, click 'Software information' to see this entry.

Alternatively, you could search for 'Android' or 'Android version' in the search bar of the Settings menu.

If you're not running the most recent Android operating system, you're not necessarily at risk, but the older the version, the greater the need to consider upgrading your phone. And of course, the more important to follow the advice in this guide.

How to check OS version on iOS

  • Open the Settings menu.
  • Choose 'General'.
  • Tap 'About', where you can see the iOS version.
  • Alternatively, choose 'Software update' to see the iOS version, and also check to see whether any updates are available.

The most recent version of iOS is version 14. However, earlier versions may still be refreshed with security updates to help support older phones. If your iPhone is running iOS 11 or earlier, you should consider upgrading the device.

Are iPhones safer than Android phones?

Unlike Android, which is used by a number of manufacturers, iOS is a closed operating system. Apple doesn't share its source code with app developers or users of its products, so there's a lower chance of attackers finding vulnerabilities in its system. For that reason, many believe that iOS is a safer operating system.

Regardless, there's no way to be completely safe, even if you do own an Apple phone – so you should similarly consider the risks of using devices that are no longer supported. 

Which Apple smartphones are a security risk?

The iPhone 6 and earlier are no longer receiving security updates. The iPhone 6 was released in September 2014, so if you're using any of the smartphones below or ones released earlier, you should look to invest in a new model.

  • Apple iPhone 6 and 6 Plus (September 2014)
  • Apple iPhone 5C and 5S (September 2013)
  • Apple iPhone 5 (September 2012)
  • Apple iPhone 4S (October 2011)
  • Apple iPhone 4 (September 2010)

If you're looking to upgrade a phone on a budget, read our guide to the best cheap mobile phones, or if you're willing to spend a little more, we also cover the best mid-range mobile phones.