Neon App Exposes Users’ Private Data in Major Security Flaw Amid Rapid Growth

A surging phone application, Neon, which offers users the opportunity to monetize their call recordings by selling them to AI companies, has rapidly ascended to the top five free iPhone applications since its recent debut.

With thousands of users and 75,000 downloads on a single day, according to Appfigures, Neon markets itself as a platform for users to earn income by contributing call recordings used in training, enhancing, and testing AI models.

However, the app has encountered an offline status, at least temporarily, due to a security vulnerability that allowed unauthorized access to other users’ phone numbers, call recordings, and transcripts.

During a brief test of the Neon app on Thursday, TechCrunch discovered the security flaw and promptly notified the app’s founder, Alex Kiam, about it. Kiam subsequently took down the app’s servers and informed users of a temporary pause in service but failed to disclose the underlying security breach.

After receiving our communication, the Neon app ceased functioning. The flaw stemmed from the absence of server-side controls preventing logged-in users from accessing each other’s data.

To verify the issue, TechCrunch created a new user account on an iPhone and completed the sign-up process by providing a valid phone number. Utilizing a network traffic analysis tool called Burp Suite, we inspected the network data exchanged between the Neon app and its servers to comprehend the application’s technical workings.

After making test calls, the app displayed our recent call history along with earnings for each call. However, our network analysis tool revealed hidden details inaccessible to regular users within the Neon app. These details included the text-based transcript of the call and a web address to the audio files, which could be publicly accessed as long as one had the link.

For example, our test call between two TechCrunch reporters confirmed that the recording functioned correctly, as evidenced by the accompanying transcript.

However, the Neon servers were also capable of generating vast quantities of other users’ call recordings and their transcripts. In one instance, TechCrunch discovered that the Neon servers could provide details about the most recent calls made by its users, along with public web links to their raw audio files and the transcribed text of those conversations. (It is important to note that the audio files only contained recordings of individuals who had installed Neon, not those they contacted.)

Similarly, the Neon servers could be manipulated to reveal the most recent call records (also known as metadata) for any user. This metadata encompassed the user’s phone number and the number they called, the time the call was made, its duration, and the earnings generated from each call.

A review of a few transcripts and audio files suggests that some users may be employing the app to record extended conversations with others for monetary gain through the platform.

Following our disclosure of the flaw on Thursday, Neon’s founder, Kiam, issued an email to customers announcing the temporary shutdown of the app. The email stated: “We prioritize your data privacy and are committed to ensuring its complete security even during this phase of accelerated growth. As a result, we have temporarily taken the app offline to add additional layers of security.”

The email did not acknowledge the security lapse or the exposure of users’ phone numbers, call recordings, and transcripts to any user who knew where to look. It remains unclear when Neon will be restored or if this security breach will draw attention from app stores.

Apple and Google have yet to respond to TechCrunch’s inquiries regarding whether Neon adheres to their respective developer guidelines. However, it is not the first time that an application with significant security concerns has found its way onto these app marketplaces. In recent history, a popular mobile dating companion app, Tea, experienced a data breach that exposed users’ personal information and identity documents. Well-known apps like Bumble and Hinge were also found to be disclosing their users’ locations in 2024. Both stores regularly purge malicious applications that slip past their review processes.

When asked, Kiam did not immediately confirm whether the app underwent a security evaluation prior to its release or who conducted the assessment. Kiam also declined to specify, when queried, if the company possesses the technical means, such as logs, to determine if anyone else discovered the flaw before us or if any user data was stolen.

TechCrunch additionally reached out to Upfront Ventures and Xfund, entities claimed by Kiam in a LinkedIn post to have invested in his application. Neither firm has responded to our requests for comment as of publication.