A new app called Neon has quickly shot to the top of the app charts. It’s a viral app that records your phone calls and then pays you for the audio, which it sells to AI companies. Since its launch last week, Neon has risen to become one of the top five free iPhone apps. The app has already accumulated thousands of users and was downloaded 75,000 times in a single day, according to data from app intelligence provider Appfigures. Neon’s appeal lies in its pitch: it offers users a way to make money by providing call recordings that help train and improve AI models.
However, a serious security issue has forced Neon to go offline, at least for the time being. TechCrunch discovered a security flaw that allowed anyone to access the phone numbers, call recordings, and transcripts of any other user. This critical lapse in security has led to the app being taken down. We uncovered the flaw during a short test of the app and immediately alerted the founder, Alex Kiam. Kiam, who had previously not responded to our comments, later told us that he had taken down the app’s servers and started notifying users about the pause. However, he fell short of informing his users about the security lapse itself. The app stopped working shortly after we contacted him.
The vulnerability was in the app’s servers, which failed to prevent a logged-in user from accessing another user’s data. To test this, we created a new user account on a dedicated iPhone and verified a phone number. We then used a network traffic analysis tool called Burp Suite to inspect the data moving in and out of the app. This allowed us to understand how the app communicates with its back-end servers on a technical level.
After making a few test calls, the app showed us a list of our most recent calls and the money we earned from each one. However, our network analysis tool revealed additional details not visible to regular users. These details included a text-based transcript of the call and a web address to the audio files. Anyone could publicly access these audio files as long as they had the link.
For example, our test call between two TechCrunch reporters confirming that the recording worked properly produced a transcript that was easily accessible. This highlighted the serious nature of the security flaw, as sensitive user information was not adequately protected.
Reference:
