A viral app called Neon, which offers to record your phone calls and pay you for the audio so it can sell that data to AI companies, has rapidly risen to become one of the top-five free iPhone apps since its launch last week. The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app intelligence provider Appfigures. Neon pitches itself as a way for users to make money by providing call recordings that help train, improve, and test AI models.
But now Neon has gone offline, at least for now, after a security flaw allowed anyone to access the phone numbers, call recordings, and transcripts of any other user. TechCrunch discovered the security flaw during a short test of the app on Thursday. The publication alerted the app’s founder, Alex Kiam, to the flaw soon after its discovery.
Kiam told TechCrunch later Thursday that he took down the app’s servers and began notifying users about pausing the app. However, he fell short of informing his users about the security lapse. The Neon app stopped functioning soon after TechCrunch contacted Kiam.
The problem was that the Neon app’s servers were not preventing any logged-in user from accessing someone else’s data. During testing, a network analysis tool revealed details not visible to regular users, including the text-based transcript of a call and a public web address to the audio files. The backend servers were also capable of producing data about the most recent calls made by other users, providing public links to their raw audio files and transcript text.
Similarly, the servers could be manipulated to reveal the call records, or metadata, of any user. This metadata contained the user’s phone number, the number of the person they called, when the call was made, its duration, and how much money each call earned. A review of a handful of transcripts and audio files suggests some users may be using the app to make lengthy calls that covertly record real-world conversations with other people in order to generate money.
Soon after being alerted to the flaw on Thursday, the company’s founder, Kiam, sent an email to customers about the app’s shutdown. The email stated that data privacy is the company’s top priority and that the app was being temporarily taken down to add extra layers of security. Notably, the email made no mention of a security lapse or that it exposed users’ phone numbers, call recordings, and call transcripts.
It is unclear when Neon will come back online or whether this security lapse will gain the attention of the app stores. Apple and Google have not yet responded to requests for comment about whether Neon was compliant with their respective developer guidelines. This would not be the first time an app with serious security issues has been available on these marketplaces.
When asked, Kiam did not immediately say if the app had undergone any security review ahead of its launch, or if the company has the technical means to determine if anyone else found the flaw before TechCrunch or if any user data was stolen. TechCrunch also reached out to Upfront Ventures and Xfund, which Kiam claims have invested in his app. Neither firm has responded to requests for comment.