In a move that underscores a growing tension in the software industry, virtual private network provider Surfshark has quietly begun phasing out support for a swath of older Android devices, a decision that affects millions of users globally and signals a strategic pivot toward modern security architecture at the expense of backward compatibility. The company will no longer provide application updates, including critical security patches, for devices running Android versions 5, 6, and 7—codenamed Lollipop, Marshmallow, and Nougat, respectively.

The change, first highlighted by industry publication TechRadar, means users on these aging operating systems will be frozen on Surfshark version 4.13.0. While the app may continue to function for an indeterminate period, it will exist in a state of managed decline, devoid of new features and, more alarmingly, unprotected against newly discovered vulnerabilities. Surfshark’s official guidance advises affected customers to upgrade their device’s operating system or, if that’s not possible, their physical hardware—a recommendation that is technically sound but economically challenging for many.

In a statement on its support pages, the company framed the decision as a necessary step “to provide our users with the best possible product,” a standard corporate rationale for sunsetting legacy products. This process, known as planned obsolescence, is a common if often contentious practice in technology, forcing a difficult conversation about the lifecycle of digital services and the responsibilities providers have to their entire customer base, not just those with the latest gadgets.

A Calculated Move in a High-Stakes Security Game

Behind Surfshark’s decision lies a complex calculus of resource allocation, technical debt, and the escalating demands of modern cybersecurity. Supporting older operating systems is an expensive and time-consuming endeavor. Developers must contend with deprecated application programming interfaces (APIs), create workarounds for features that newer systems handle natively, and dedicate significant quality assurance resources to testing on a fragmented ecosystem of obsolete hardware. This diverts engineering talent and capital away from innovation and fortifying defenses on the platforms where the vast majority of users reside.

While the number of users on these older Android versions is shrinking, it is far from negligible. Data from analytics firms like Statcounter indicates that Android 7 and its predecessors still command a small but significant slice of the global market, collectively running on tens of millions of active devices. These are often lower-cost phones prevalent in emerging markets or serve as secondary devices for users in developed nations, representing a segment of the population that is frequently more vulnerable to digital threats.

By drawing a line at Android 8 (Oreo), Surfshark is making a strategic bet that the cost of servicing this long tail of legacy users outweighs the benefits of retaining them. It’s a move that prioritizes the security and performance of its core product on modern platforms, implicitly accepting the potential churn of customers who are unable or unwilling to upgrade. This reflects a broader industry trend where the pace of security evolution, particularly in the encryption and network protocol space, makes supporting older, less secure operating systems an increasingly untenable risk.

The Ripple Effect on the Competitive Environment

Surfshark’s policy shift does not occur in a vacuum. An analysis of its chief rivals reveals a divided approach to legacy support, positioning Surfshark firmly within the industry mainstream. NordVPN, a sister company to Surfshark under the Nord Security umbrella, also requires Android 7.0 or later for its application. Similarly, Proton VPN, known for its strong privacy-first stance, mandates Android 6.0 as its minimum requirement. These policies suggest a consensus among many top-tier providers that the security liabilities and development overhead of supporting systems nearly a decade old are too great.

However, not all competitors are following the same playbook. ExpressVPN, another premium player in the market, continues to offer support for devices running Android 5.0 and higher, according to its Google Play Store listing and support documents. This distinction provides ExpressVPN with a key competitive advantage, allowing it to market itself as a more accessible solution for users with older hardware. This divergence in strategy highlights a fundamental debate within the industry: should a VPN service aim to protect as many users as possible, regardless of their device’s age, or should it focus on delivering the most advanced security possible, even if it means leaving some users behind?

The decision by Surfshark and others to end support creates an opportunity for smaller or more specialized VPN providers to cater to this underserved market. However, these users must be cautious, as providers willing to support antiquated systems may themselves be cutting corners on security infrastructure or protocol implementation. The market is effectively bifurcating, with major brands consolidating around modern, secure platforms while a niche of legacy-friendly services emerges to fill the void.

Navigating the Unseen Risks of Digital Obsolescence

For the end-user, the implications of using an outdated VPN application are severe and often invisible. A VPN is a tool of trust, routing a user’s entire internet traffic through its servers. When the client software is no longer receiving security updates, that trust is fundamentally broken. New exploits and vulnerabilities are discovered constantly, and without a patching mechanism, an old VPN app becomes a permanent, unfixable security hole on a device. The very tool meant to provide protection can become the vector for an attack.

The risks extend beyond direct exploits. Older software may be locked into using outdated cryptographic standards or VPN protocols that are now considered weak or compromised. For example, newer protocols like WireGuard offer significant speed and security advantages over older options like OpenVPN or IKEv2, but they may not be fully supported or optimized on legacy app versions. This can lead to substandard performance and, in a worst-case scenario, potential data leaks if the connection falters or fails to properly tunnel all traffic, a risk well-documented by cybersecurity agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Furthermore, without updates, the app will inevitably suffer from compatibility issues as the digital world moves on. Servers may be reconfigured, authentication methods updated, and network infrastructure changed in ways that the old app cannot understand, leading to connection failures or instability. The user is left with a false sense of security, believing they are protected when, in fact, their connection is either vulnerable or non-functional.

The User Conundrum: Upgrade, Switch, or Risk It?

The decision by Surfshark places a significant burden on affected customers, particularly those for whom a new smartphone is a major financial investment. The digital divide—the gap between those who have access to modern technology and those who do not—is a real and persistent issue. For these users, the choice is not a simple one. They are faced with three options: invest in new hardware, find an alternative VPN service that still supports their device, or continue using the outdated Surfshark app and accept the associated risks.

Online forums and social media platforms show a mixed reaction from the user base. While many tech-savvy users understand the rationale behind the move, others express frustration at being forced into an upgrade cycle. This sentiment reflects a wider consumer weariness with a technology industry that often prioritizes relentless forward momentum over long-term product stability and support. It’s a pragmatic business decision that can feel like a betrayal to a loyal, if small, segment of the customer base.

Ultimately, Surfshark’s sunsetting of support for older Android versions is more than a minor technical update; it is a microcosm of the broader challenges facing the digital services industry. It highlights the relentless push for stronger security, the economic realities of software development, and the difficult, often unacknowledged, consequences for users left on the wrong side of a technological dividing line. As the digital world accelerates, the question of who gets left behind, and why, will only become more critical.