The viral iPhone app Neon, which surged to the top five free apps in the App Store by promising to pay users for their call recordings, has abruptly ceased operations. The shutdown follows the discovery of a critical security vulnerability that exposed sensitive user data, including private phone numbers, call transcripts, and audio files, to unauthorized access.
Launched only last week, the app gained massive traction, recording 75,000 downloads in a single day. Its business model relied on harvesting call data to train and test artificial intelligence models. However, that growth hit a wall when researchers identified a flaw that allowed any authenticated user to access the records of others.
Massive Exposure of Private Data
The vulnerability stemmed from a failure in the app’s back-end server architecture, which lacked proper authorization checks. During a security audit, researchers used network traffic analysis tools to intercept data flowing between the application and its servers.
The analysis revealed that while the app interface displayed only basic information, the server was responding with raw audio links and complete transcripts. The exposure included:
- Metadata: Caller and receiver phone numbers, call duration, and timestamps.
- Content: Full text transcripts of conversations.
- Audio: Publicly accessible links to raw audio files of the calls.
Because the app was marketed as a way to “monetize” calls, some users were reportedly recording lengthy, real-world conversations to maximize their earnings, unaware that these private exchanges were effectively public.
Strategic Shutdown and Opaque Communication
Following contact from investigators, Neon founder Alex Kiam moved to take the servers offline. In a subsequent email to users, the company cited a need for “extra layers of security” due to “rapid growth,” but notably failed to disclose that a breach had already occurred.
Questions remain regarding the extent of the exposure. Kiam has not confirmed whether the company maintains logs to determine if unauthorized parties accessed this data before the vulnerability was patched. Furthermore, there has been no clarification on whether the app underwent any professional security review prior to its launch.
The incident raises renewed concerns about the oversight of apps in major marketplaces. Despite strict developer guidelines, high-risk applications continue to bypass initial reviews. Neither Apple nor Google has commented on whether Neon violated their respective terms of service. Additionally, venture capital firms linked to the app, including Upfront Ventures and Xfund, have remained silent regarding their investment in the project.