Neon, a trending application that promises to record your phone conversations and compensate you for the audio—which it then sells to AI firms—has quickly climbed into the top five free iPhone apps since debuting last week.
According to data from Appfigures, the app has already attracted thousands of users and saw 75,000 downloads just yesterday. Neon promotes itself as a platform where users can earn cash by submitting call recordings to help develop and test AI systems.
However, Neon has been taken offline—at least temporarily—after a vulnerability exposed users’ phone numbers, call audio, and transcripts to anyone, as TechCrunch has learned.
TechCrunch identified this security issue during a brief evaluation of the app on Thursday. The flaw was reported to Neon’s creator, Alex Kiam (who had previously not responded to inquiries about the app), shortly after it was found.
Later that day, Kiam informed TechCrunch that he had shut down the app’s servers and started notifying users about the pause in service, but did not fully disclose the security breach to them.
The Neon app ceased working not long after we reached out to Kiam.
Exposed call audio and transcripts
The core issue was that Neon’s servers failed to restrict logged-in users from viewing other users’ private data.
TechCrunch registered a new account on a separate iPhone, verifying a phone number as part of the process. Using Burp Suite, a tool for analyzing network traffic, we examined the data exchanged between the app and its servers to better understand its technical operations.
After making several test calls, the app displayed a summary of recent calls and the earnings from each. Yet, our network analysis revealed information hidden from ordinary users, such as the text transcript of the call and a public web link to the audio file—accessible to anyone with the URL.
For instance, here is the transcript from a test call between two TechCrunch journalists, confirming the recording feature was functioning.
Image Credits:TechCrunch
But the servers could also return large quantities of other users’ call audio and transcripts.
In one instance, TechCrunch discovered that Neon’s servers could provide information about the latest calls made by users, along with public links to the raw audio and the transcript of each conversation. (The recordings only include those who have installed Neon, not the people they call.)
Additionally, the servers could be exploited to access recent call metadata from any user. This metadata included both parties’ phone numbers, the time and duration of the call, and the amount earned from each conversation.
A review of several transcripts and audio files indicates that some users may be making lengthy calls to secretly record real-life conversations for profit through the app.
App temporarily suspended
Shortly after we notified Neon about the vulnerability on Thursday, Kiam emailed users to announce the app’s suspension.
“Protecting your data privacy is our highest priority, and we want to ensure it remains secure even as we grow quickly. For this reason, we are temporarily disabling the app to implement additional security measures,” the email shared with TechCrunch stated.
Importantly, the message did not mention the security incident or the exposure of users’ phone numbers, call audio, and transcripts to others who knew how to find them.
It remains uncertain when Neon will resume operations or if this security issue will attract scrutiny from app store operators.
Apple and Google have yet to respond to TechCrunch’s questions about whether Neon met their developer policies.
Still, this is not the first time an app with major security flaws has appeared on these platforms. Recently, the popular dating companion app Tea suffered a breach that leaked users’ personal details and government IDs. Well-known apps like Bumble and Hinge were also found in 2024 to be exposing users’ locations. Both app stores must routinely remove harmful apps that evade their review processes.
When questioned, Kiam did not immediately clarify whether any security assessment was conducted before launch, or who might have performed it. He also did not specify if the company has the technical ability, such as logs, to determine if others discovered the flaw before TechCrunch or if any user data was compromised.
TechCrunch also reached out to Upfront Ventures and Xfund, which Kiam claims in a LinkedIn post have invested in Neon. As of publication, neither firm has replied to our requests for comment.
