A viral application called Neon, which offers to record your phone calls and pay you for the sound so that it can sell this data to AI companies, has rapidly increased in the classes of top free iPhone applications since last week.
The app already has thousands of users and has been received 75,000 times yesterday, according to App Intelligence Proviger Appfigures. NEON attracts itself as a way for users to make money by providing call records that help in education, improvement and AI models.
But Neon has been offline, at least for now, after a safety defect, allowed anyone to access phone numbers, call records and transcripts of any other user, TechCrunch can now mention.
TechCrunch discovered the security defect during a short application test on Thursday. We alerted the founder of the application, Alex Kiam (who previously did not respond to request for comments for the application), to the defect shortly after our discovery.
Kiam told TechCrunch later on Thursday that he took the application servers and began alerting users to stop the application, but failed to inform his users of the delay.
The Neon app stopped working shortly after contacting Kiam.
Call records and transcripts exposed
The error was the fact that the Neon app servers did not prevent any user who was recorded to access someone else’s data.
TechCrunch created a new user account on a special iPhone and verified a phone number as part of the registration process. We have used a network analysis tool called Burp Suite to inspect the network data flowing in and out of the NEON application, allowing us to understand how the technical application works, such as the application that communicates with the back-end servers.
After making some test telephone calls, the app showed us a list of our latest calls and how much money we earned each call. But the network analysis tool revealed details that were not visible to regular users in the NEON application. These details included the text -based text and a tissue address in audio files, which anyone could have access to publicly as long as they had the link.
For example, here you can see the copy of our test call between two TechCrunch journalists who confirm that the registration worked properly.
But back-end servers were also able to spit on other people’s calls and their transcripts.
In one case, TechCrunch found that Neon servers could produce data on the latest application users, as well as provide public links to the web with RAW audio files and the transcription text of what was said in the call. (Audio files contain only those who installed neon, not those that came into contact.)
Similarly, Neon servers could handle to reveal the latest call files (also known as metadata) by any of its users. These metadata contained the user’s phone number and the phone number of the person they called, when the call was made, the duration of and how much money we earned each call.
A review of a handful of audio transfers and files suggests that some users may use the application to make long calls that secretly record real conversations with other people to create money through the application.
The app is closed, for now
Shortly after Neon’s alert of the defect on Thursday, the founder of the company, Kiam, sent an email to customers who warn them of the closure of the application.
“Your privacy is our first priority and we want to make sure it is completely safe even during this period of rapid growth.
Specifically, the email makes no reference to a security delay or that it exposes users’ phone numbers, call records and call transfers to any other user who knew where to look.
It is not clear when Neon Online will come back or if this security reception will draw the attention of app stores.
Apple and Google have not yet answered TechCrunch’s requests to comment on whether Neon was compatible with their corresponding developer instructions.
However, this would not be the first time an application with serious security issues has made these application markets. Recently, a popular application Companion Companion Mobile, Tea, presented a data breach that exposed users’ personal information and ID documents issued by the government. Popular applications such as Bumble and Hinge were caught in 2024 by exposing their users’ locations. Both stores must also clean the malicious applications that slip beyond the revision processes of their application.
When asked, Kiam did not immediately said if the application had undergone any security review before launching it and if so, who made the review. Kiam also did not say, when asked, if the company has the technical means, such as the logs, to find out if someone else found the defect in front of us or if any user data has been stolen.
TechCrunch also arrived in beforehand Ventures and Xfund, which Kiam claims in a LinkedIn post have invested in its application. Nor did the company respond to our requests for comments from the publication.
