Neon App Shuts Down After Data Breach - User Data Exposed

Neon App Controversy: Data Security Breach

A recently launched application named Neon, which incentivizes users to share their phone call recordings in exchange for payment, has quickly gained prominence. It ascended to become one of the top five most downloaded free applications on the iPhone platform within just one week of its release.

Rapid Growth and Core Functionality

According to data from Appfigures, an app intelligence firm, Neon has already amassed a substantial user base. Yesterday alone, the app experienced 75,000 downloads. The application is marketed as a means for individuals to generate income by contributing call data used to refine and evaluate AI models.

Security Vulnerability Discovered

However, Neon has been temporarily taken offline following the identification of a significant security vulnerability. This flaw permitted unauthorized access to sensitive user information, including phone numbers, call recordings, and transcriptions.

TechCrunch Investigation and Response

TechCrunch identified the security issue during a brief evaluation of the application on Thursday. The app’s founder, Alex Kiam, was promptly notified of the vulnerability. Previously, Mr. Kiam had not responded to inquiries regarding the app itself.

App Suspension and User Notification

Kiam subsequently informed TechCrunch that he had deactivated the app’s servers and initiated the process of informing users about a temporary suspension of service. Notably, the initial communication to users did not explicitly detail the nature of the security breach.

App Functionality Ceased

The Neon application ceased to operate shortly after TechCrunch made contact with Kiam. This suggests a swift response to mitigate the potential damage caused by the discovered security flaw.

Key Takeaways

• Neon offered financial compensation for call recordings.
• A critical security flaw exposed user data.
• The app was temporarily suspended following the discovery.
• Full disclosure of the security lapse to users was initially lacking.

Exposure of Call Recordings and Transcripts

A security flaw within the Neon application allowed unauthorized access to user data. Specifically, the app’s servers failed to restrict access, permitting any logged-in user to view information belonging to others.

To investigate, TechCrunch established a new user account on an iPhone and validated a phone number during registration. A network analysis tool, Burp Suite, was then employed to dissect the data exchange between the Neon app and its servers, revealing the app’s underlying technical operations.

Following several test calls, the app displayed a list of recent calls and associated earnings. However, the network analysis uncovered details hidden from standard users. This included access to call transcripts and publicly accessible web links to the audio files.

For instance, a transcript of a test call between two TechCrunch journalists confirmed the recording functionality was operational.

The server infrastructure was capable of delivering extensive data from other users’ calls, including their corresponding transcripts.

TechCrunch discovered the Neon servers could provide data pertaining to recent calls made by app users. Publicly accessible web links to the raw audio files and the textual content of the conversations were also obtainable. (Recordings were limited to users who had installed Neon, not their contacts.)

Furthermore, the Neon servers could be exploited to reveal recent call records – or metadata – from any user. This metadata encompassed the caller’s phone number, the recipient’s number, the call’s timestamp, duration, and generated earnings.

Examination of several transcripts and audio files indicated potential misuse of the app. Some users may be leveraging it to record conversations without consent, aiming to generate revenue.

Details of the Vulnerability

• Lack of Access Control: The servers did not properly authenticate or authorize user requests.
• Data Exposure: Sensitive information, including call recordings and transcripts, was publicly accessible via direct links.
• Metadata Leakage: Call metadata, such as phone numbers and call durations, was also compromised.

The ability to access this data raises significant privacy concerns. The potential for misuse, including unauthorized recording and distribution of private conversations, is substantial.

Neon App Temporarily Unavailable

Following notification of a vulnerability on Thursday, Neon’s founder, Kiam, disseminated a communication to users regarding the app’s temporary suspension of service.

The email, which was shared with TechCrunch, stated, “Protecting your data privacy is our foremost concern, and we are committed to ensuring its complete security, particularly during this phase of accelerated expansion.” Consequently, the application has been taken offline to implement enhanced security measures.

Significantly, the communication did not acknowledge a security breach or the exposure of user data, including phone numbers, call recordings, and transcripts, to unauthorized access.

The timeline for Neon’s return to operation remains uncertain, as does whether this security issue will prompt scrutiny from the app stores.

As of yet, Apple and Google have not provided statements regarding Neon’s adherence to their respective developer policies, despite inquiries from TechCrunch.

This situation is not unprecedented; apps with substantial security vulnerabilities have previously been distributed through these marketplaces. A recent data breach at the Tea dating app resulted in the exposure of personal information and official identification documents. Furthermore, both Bumble and Hinge faced criticism in 2024 for exposing user location data.

Both app stores consistently work to remove malicious applications that circumvent their review procedures.

When questioned, Kiam did not immediately confirm whether a security assessment was conducted prior to the app’s launch, or identify the entity responsible for such a review. He also did not indicate if the company possesses the necessary tools, like system logs, to ascertain if the vulnerability was discovered by others or if user data was compromised.

TechCrunch also contacted Upfront Ventures and Xfund, investment firms Kiam mentioned in a LinkedIn post as having invested in the app. As of the time of publication, neither firm had responded to requests for comment.