A new mobile application called Neon has quickly become a sensation, achieving a spot among the top five free iPhone apps just one week after its launch. This innovative app allows users to record their phone calls and offers them a unique opportunity to earn money by selling these recordings to artificial intelligence companies. According to app intelligence provider Appfigures, Neon was downloaded an impressive 75,000 times in a single day, indicating a growing user base rapidly drawn to its financial incentives.
Neon promotes itself as a platform for users to monetize their call recordings, which are utilized to train and enhance AI models. However, the app's promising concept has been overshadowed by a significant security vulnerability that has forced it offline, at least temporarily. TechCrunch reported this security flaw, which exposed users' phone numbers, call recordings, and transcripts to anyone with access to the app.
During a routine test of the Neon app, TechCrunch uncovered that its servers lacked proper security measures, allowing any logged-in user to access other users' sensitive data. The investigation involved creating a new user account on a dedicated iPhone and employing a network traffic analysis tool, Burp Suite, to scrutinize the data flow. This analysis revealed how the app interacts with its backend servers and highlighted alarming privacy breaches.
After making several test calls through the Neon app, the team was able to view not only their own call earnings but also sensitive information regarding other users. The app inadvertently provided access to call transcripts and direct links to audio files that anyone could retrieve if they had the URL. This included metadata related to calls, such as the participants’ phone numbers, the timing and duration of calls, and earnings per call.
In some instances, it appeared that users might exploit the app for lengthy recordings of private conversations in an attempt to generate income. This misuse raises serious ethical and legal concerns regarding privacy and consent.
Following the notification of the security flaw, Neon’s founder, Alex Kiam, promptly decided to take the app's servers offline. In an email sent to users, Kiam emphasized the company’s commitment to data privacy, stating, “Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth.” Despite this assurance, the email failed to mention the specific security issues that had been uncovered.
As of now, it remains unclear when Neon will be operational again or if the security breach will attract scrutiny from app stores. TechCrunch has reached out to both Apple and Google for comments on whether Neon meets their developer guidelines, but there has been no response as yet. This incident raises important questions about the vetting process for applications that manage sensitive user data.
The situation with Neon is not isolated; similar security issues have plagued other popular applications. For instance, the mobile dating app Tea recently suffered a data breach that compromised user information, while platforms like Bumble and Hinge have faced scrutiny for exposing user locations. This highlights a broader trend of security vulnerabilities affecting a variety of apps in today’s digital landscape.
As the tech community watches closely, it remains to be seen if Neon will implement the necessary security measures to prevent future breaches and regain user trust. Kiam has yet to confirm whether any security review was conducted prior to the app's launch or if user data was compromised before the flaw was discovered.
