A viral app called Neon, which offers to record your phone calls and pay you for the audio so it can sell that data to AI companies, has rapidly risen to the ranks of the top-five free iPhone apps since its launch last week.
The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app intelligence provider Appfigures. Neon pitches itself as a way for users to make by providing call recordings that help train, improve, and test AI models.
But now Neon has gone offline, at least for now, after a security flaw allowed anyone to access the phone numbers, call recordings, and transcripts of any other user, TechCrunch can now report.
TechCrunch discovered the security flaw during a short test of the app on Thursday. We alerted the app’s founder, Alex Kiam (who previously did not respond to a request for comment about the app), to the flaw soon after our discovery.
Kiam told TechCrunch later Thursday that he took down the app’s servers and began notifying users about pausing the app, but fell short of informing his users about the security lapse.
The Neon app stopped functioning soon after we contacted Kiam.
Call recordings and transcripts exposed
At fault was the fact that the Neon app’s servers were not preventing any logged-in user from accessing someone else’s data.
TechCrunch created a new user account on a dedicated iPhone and verified a phone number as part of the sign-up process. We used a network traffic analysis tool called Burp Suite to inspect the network data flowing in and out of the Neon app, allowing us to understand how the app works at a technical level, such as how the app communicates with its back-end servers.
After making some test phone calls, the app showed us a list of our most recent calls and how much money each call earned. But our network analysis tool revealed details that were not visible to regular users in the Neon app. These details included the text-based transcript of the call and a web address to the audio files, which anyone could publicly access as long as they had the link.
For example, here you can see the transcript from our test call between two TechCrunch reporters confirming that the recording worked properly.
But the backend servers were also capable of spitting out reams of other people’s call recordings and their transcripts.
In one case, TechCrunch found that the Neon servers could produce data about the most recent calls made by the app’s users, as well as providing public web links to their raw audio files and the transcript text of what was said on the call. (The audio files contain recordings of just those who installed Neon, not those they contacted.)
Similarly, the Neon servers could be manipulated to reveal the most recent call records (also known as metadata) from any its users. This metadata contained the user’s phone number and the phone number of the person they’re calling, when the call was made, its duration, and how much money each call earned.
A review of a handful of transcripts and audio files suggests some users may be using the app to make lengthy calls that covertly record real-world conversations with other people in order to generate money through the app.
App shuts down, for now
Soon after we alerted Neon to the flaw on Thursday, the company’s founder, Kiam, sent out an email to customers alerting them to the app’s shutdown.
“Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth. Because of this, we are temporarily taking the app down to add extra layers of security,” the email, shared with TechCrunch, reads.
Notably, the email makes no mention of a security lapse or that it exposed users’ phone numbers, call recordings, and call transcripts to any other user who knew where to look.
It’s unclear when Neon will come back online or whether this security lapse will gain the attention of the app stores.
Apple and Google have not yet responded to TechCrunch’s requests for comment about whether or not Neon was compliant with their respective developer guidelines.
However, this would not be the first time that an app with serious security issues has made it onto these app marketplaces. Recently, a popular mobile dating companion app, Tea, experienced a data breach, which exposed its users’ personal information and government-issued identity documents. Popular apps like Bumble and Hinge were caught in 2024 exposing their users’ locations. Both stores also have to regularly purge malicious apps that slip past their app review processes.
When asked, Kiam did not immediately say if the app had undergone any security review ahead of its launch, and if so, who performed the review. Kiam also did not say, when asked, if the company has the technical means, such as logs, to determine if anyone else found the flaw before us or if any user data was stolen.
TechCrunch additionally reached out to Upfront Ventures and Xfund, which Kiam claims in a LinkedIn post have invested in his app. Neither firm has responded to our requests for comment as of publication.
.jpg?w=100&resize=100,70&ssl=1 "The Best Podcasts for Everyone")
/cdn.vox-cdn.com/uploads/chorus_asset/file/25719630/247350_CMBF_2024_EWinataBlackFriday_2040x1360.png?w=100&resize=100,70&ssl=1 "Here are the best Black Friday deals you can already get")
