A viral app called Neon, which offers to record your phone calls and pay you for audio so that it can sell the data to AI companies, since the launch last week has increased rapidly to the rank of top-five free iPhone apps.
According to the app intelligence provider APFIGURES, the app already has thousands of users and was downloaded alone 75,000 times yesterday. Neon pitchs itself in a way that earns money by providing call recording to users that helps the AI model train, improve and test.
But the neon has gone offline, at least for now, allows anyone to reach the phone numbers, call recording and any other user tape after a safety defect, Techcrunch can now report.
Techcrunch on Thursday discovered safety defects during a small test of the app. We alerted the founder of the app, Alex Kim (who had not responded to the request to comment on the first app) for the blame immediately after our discovery.
Kim later on Thursday told Techcrunch that he took down the server of the app and began to inform users about stopping the app, but was less than informing his users about the safety omission.
We stopped working soon after contacting Kim.
Call recording and tape exposed
It was mistakenly the fact that the servers of the Neon app were not preventing any login user from reaching someone else’s data.
Techcrunch created a new user account on a dedicated iPhone and verified a phone number as part of the sign-up process. We used a network traffic analysis tool called Burp Suite to inspect the network data flowing inside and out of the Neon app, allowing us to understand how the app works at the technical level, such as how the app communicates with its back-end server.
After making some test phone calls, the app showed us a list of our most recent calls and how much money earned to each call. But our network analysis tool revealed the details that were not visible to regular users in the Neon app. These details included the call-based transcript and a web address for audio files, which one could publicly access until they had a link.
For example, here you can see transcripts from our test calls between two Techcrunch reporters, which is confirmed that the recording works properly.
But the back-end server was also able to spit the call recording of other people and their tape rims.
In one case, Techcrunch found that NEON can produce data about the most recent calls made by users of Server App, as well as providing public web links to its raw audio files and the transcript text of what was said on the call. (Audio files only record recording of people who established Neon, not those who contacted them.)
Similarly, neon server can be manipulated to reveal the most recent call records (also known as metadata) from any of its users. This metadata had the user’s phone number and the person’s phone number they are calling, when the call was made, its duration, and how much money was earned to each call.
Review of a handful of tape and audio files suggests that some user can use the app to make long calls that record the real world interaction with other people to generate money through the app.
App shutdown, for now
Soon after, we alerted Neon for blame on Thursday, the company’s founder, Kim sent an email to the customers, which warns him to the shutdown of the app.
Shared with Techcrunch, “Your data privacy is our number one priority, and we want to ensure that it is completely safe even during this period of rapid development. Because of this, we are taking the app down to temporarily adding additional layers of security.”
In particular, the email does not mention a safety lapse or it exposes users’ phone number, call recording, and call tape to another user who knew where to see.
It is not clear that when Neon comes back online or whether this safety omission will attract the attention of the app store.
Apple and Google have not yet commented after Techcrunch’s outreach whether Neon was in line with its respective developer guidelines.
However, this will not be the first time that an app with serious security issues has created it on these app marketplace. Recently, a popular mobile dating companion app, TEA, experienced a data breech, which highlighted the personal information and identity documents released by the government. Popular apps like Bumble and Hinge were caught in 2024 highlighting their users’ places. Both stores have to purify regular malicious apps that slip behind the review processes of their app.
Asked, Kim did not immediately say whether the app had no security review before its launch, and if yes, who did the reviewer. Kim did not even say, when asked whether the company had technical means, such as logs, to determine if someone else has found a blame in front of us or if a user data was stolen.
Techcrunch additionally reached the upfront ventures and XFund, which claims Kiam A linkeded post Have invested in your app. Neither the firm has responded to our requests to comment as publication.
