Viral call-recording app Neon goes dark after exposing users’ phone numbers, call recordings, and transcripts

The call-recording application Neon, which recently gained immense popularity by offering users the chance to earn money from their recorded conversations, has abruptly gone offline due to a critical security issue. Launched just a week ago, Neon quickly climbed to one of the top five free iPhone apps, amassing 75,000 downloads in a single day, according to Appfigures. Neon markets itself as a tool for users to contribute audio data that can help enhance AI models. However, a serious flaw was uncovered that allowed unauthorized access to sensitive user information, including phone numbers, call recordings, and transcripts. This revelation came to light through a test conducted by TechCrunch, which identified the vulnerability and promptly notified the app's founder, Alex Kiam. Following the alert, Kiam confirmed that he took the app's servers offline and began contacting users to inform them of the temporary suspension. Yet, he did not disclose the nature of the security breach in his communications. The critical error stemmed from the app's backend, which failed to restrict access to data from other users, allowing anyone logged in to view private information. During the investigation, TechCrunch set up a new user account and used a network analysis tool to examine the data exchanged between the app and its servers. The findings were alarming: not only could the app display a user’s recent calls and earnings, but it also inadvertently exposed transcripts and direct links to audio files, accessible to anyone with the appropriate link. The vulnerability raised concerns about the potential misuse of the app, suggesting some users might be engaging in lengthy conversations for financial gain by covertly recording discussions with others. In response to the breach, Kiam sent an email to customers emphasizing a commitment to user privacy and the need to enhance security measures, but he failed to mention the specifics of the security lapse. As of now, it remains uncertain when Neon will resume operations or if the incident will draw scrutiny from app stores. Both Apple and Google have been approached for comments regarding Neon’s compliance with their developer guidelines, but have yet to respond. This incident echoes past breaches in popular apps, underlining the ongoing challenge of maintaining user security in the mobile application landscape. Kiam has not clarified whether Neon underwent any security evaluations before its launch or if any user data was compromised during the breach. Efforts to reach out to investors for further comments have also gone unanswered, leaving many questions surrounding the app's future and security practices.