A rapidly popular app named Neon has emerged among the top five free iPhone applications since its launch last week. This viral app enables users to record phone calls and offers monetary compensation for the audio, which is subsequently sold to AI firms.
Neon has garnered thousands of users, achieving 75,000 downloads in a single day, according to Appfigures. The app markets itself as a means for users to earn money by providing call recordings that assist in training and enhancing AI models.
Security Flaw Discovered
However, Neon has temporarily gone offline due to a security vulnerability that allowed users to access others’ phone numbers, call recordings, and transcripts. TechCrunch identified this flaw during a brief examination of the app and notified its founder, Alex Kiam.
Following our notification, Kiam mentioned that he took the app’s servers offline and began alerting users about the app’s suspension, but did not disclose the security breach.
Exposure of Call Data
The issue stemmed from Neon’s servers allowing any logged-in user to access the data of others. TechCrunch created a new user account and utilized a network analysis tool to probe the app’s communication with its back-end servers, discovering that internal data, including call transcripts and audio links, were publicly accessible if one had the URL.
Furthermore, the server could expose details about other users’ recent calls, including their phone numbers, duration, and earned amounts, potentially indicating misuse of the app to generate income through prolonged calls with others.
Temporary Shutdown
After alerting the company, Kiam sent an email to users announcing the app’s temporary shutdown, emphasizing data privacy as a priority. However, the communication did not mention the security breach that compromised users’ data.
The timeline for Neon’s return remains uncertain, and it’s unclear whether the incident will attract scrutiny from app stores. Traditionally, both Apple and Google have faced challenges in maintaining app security, as demonstrated by previous incidents involving well-known applications.
