Neon App Shuts Down After Exposing Users’ Private Call Data Amidst Security Flaw
A rapidly ascending mobile application titled Neon, designed to record user phone calls and offer monetary compensation for the audio data that can be sold to artificial intelligence companies, has surged into the top five free iPhone apps since its launch.
With thousands of users and 75,000 downloads on the day of its release alone, according to Appfigures, Neon positions itself as a means for users to generate income by providing call recordings that aid in training, enhancing, and testing AI models.
However, Neon’s operations have come to a temporary halt due to a security flaw that allowed unauthorized access to other users’ phone numbers, call recordings, and transcripts. This revelation came to light after a thorough examination of the app by an independent party.
During a recent evaluation of the app, it was discovered that Neon’s servers did not implement proper security measures to prevent logged-in users from accessing someone else’s data. By creating a new user account on a dedicated iPhone and verifying a phone number during the sign-up process, the tester was able to inspect network data flowing in and out of the Neon app using Burp Suite, revealing details not visible to regular users within the app.
These details included the text-based transcript of calls and web addresses to audio files, which could be publicly accessed as long as the link was known. In one instance, the tester discovered that Neon’s servers could produce data about the most recent calls made by its users, along with providing public links to their raw audio files and the transcript text of what was said on the call.
Upon notification of the security flaw, the app’s founder took immediate action to secure user privacy by temporarily shutting down the app’s servers and informing users about the pause in service. However, no information regarding the security lapse or exposure of user data was communicated to the user base.
It is currently uncertain when Neon will resume operations or if this security breach will prompt scrutiny from the app stores. As of now, neither Apple nor Google has responded to inquiries about the compliance of Neon with their respective developer guidelines.
It should be noted that this would not be the first instance of an application with significant security concerns making its way onto these digital marketplaces. In recent times, a popular mobile dating companion app encountered a data breach that exposed users’ personal information and government-issued identity documents. Apps like Bumble and Hinge have also faced scrutiny for disclosing their users’ locations in 2024. Both stores have previously purged malicious apps that managed to slip past their review processes.
The app’s founder has not yet disclosed whether the application underwent a security review prior to launch, nor identified the entity responsible for conducting such a review. Additionally, it remains undisclosed if the company possesses the technical capabilities, such as logs, to determine whether the security flaw was discovered by anyone before the examination or if user data was compromised.
