The prices of some new phones are astronomical, so it’s no wonder many people are now considering refurbished phones to get a slightly older phone for significantly less money than when it was new.

There are lots of places you can buy a refurbished phone including Music Magpie, CeX and SmartFoneStore. All will check over the phones that they have sourced, ensure that key features are working properly and assign them a grade so buyers know what to expect in terms of their condition.

It’s certainly good for the environment as it’s better to keep using an electronic device than send it to landfill, but there are some risks associated with buying a device that is two or even three years old.

One is that the battery may have significantly less capacity than when it was new. Batteries are technically consumables, but phone makers seal them inside so it’s not really possible to replace them.

However, another issue is something that we reported back in March: many Android phones receive software updates for only two or three years before manufacturers stop supporting those models.

While you might miss out on some features in newer versions of Android, the real problem is the lack of security updates. This opens the door for hackers as any vulnerabilities in a particular version of Android will remain unpatched by those updates.

It’s a problem that has existed for a long while in the Android world: Apple supports iPhones for longer and Android makers would do well to follow suit.

A new Which? investigation in May 2020 found that almost a third of phones on sale at CeX had already stopped receiving security updates but that there was no indication or warning to buyers that this was the case – and there still isn’t now.

20% of phones on sale at Music Magpie were found to be outside of support for these updates, but the company has since removed those devices from sale. It said that it will provide information so buyers know if a phone has stopped getting security updates so they can bear this in mind before buying.

SmartFoneStore has also added a warning once you’ve drilled down and selected a particular phone, along with a link to find out more information about the issue.

Older refurbished phones may be vulnerable to hacking

It’s good to see some retailers taking the problem seriously, and these can be good places to buy a used phone because, unlike a private seller on ebay or Gumtree, you get a warranty with them.

Here’s more on refurbished vs used phones.

If there is no information from a seller about security updates, then the onus is on you to check on a manufacturer’s website if a phone still receives updates or not.

Some popular refurbished phones which don’t get security updates any longer include:

  • Apple iPhone 5
  • Samsung Galaxy A8 Plus (2018)
  • Samsung Galaxy S7
  • Google Pixel XL
  • Huawei P10

Of course, there are plenty of phones that you might be considering which will stop getting updates in the near future such as the Pixel 2, iPhone 5s, OnePlus 5 and Samsung Galaxy A5 (2017 model).

Is it safe to use a phone that doesn’t get security updates?

In short, no. It’s the same as our advice for users of Windows 7, which is no longer supported by Microsoft. Using a device that doesn’t receive new security updates is risky. You might be lucky and have no problems, but you might also end up installing an app that includes malware which exploits a security hole which hasn’t been patched.

The consequences could be just about anything: it really depends upon what the vulnerability is. Cybercriminals want to steal your identity and your money, and they’ll use any means to do so.

If you have unwittingly bought a phone that doesn’t get security updates (or are still using a phone you’ve had for several years) there are some things you can do to reduce the risk of being hacked.

  1. Install a good antivirus app (Android only)
  2. Only install apps from reputable app stores (though this isn’t a 100% guarantee of safety)
  3. Don’t grant unnecessary permissions when you install new apps
  4. Don’t tap on unsolicited links in messages or attachments in emails

So-called phishing messages or emails are designed to trick you into thinking they are from a legitimate company so you hand over personal details such as your account password or even financial information. It’s a good idea to learn to spot these fake messages.

Related stories for further reading