This Popular Call Recording App Wasn’t Just Selling Your Data — It Was Leaking It
Toggle Dark Mode
In what should be a cautionary tale about trusting apps from little-known developers, Neon — the surprisingly popular call recording app that paid users to share their phone call recordings for AI training — has been discovered leaking that data like a sieve to nearly anyone who wanted to access it.
As we shared yesterday, Neon had rocketed to second place among free social networking apps on the App Store charts, largely thanks to its offer to pay users up to 30 cents per minute for calls made through the app. Unsurprisingly, it turns out that a lot of people like “free” money.
Of course, there’s no such thing as a free lunch. What Neon was really doing was collecting conversational data it could sell — presumably at a hefty markup — to companies hungry for training material for their AI models.
While this sounds a bit sketchy, there was reason to believe Neon was at least attempting to operate responsibly. Its privacy policy promised to filter out personal details and share only “anonymized audio” with vetted AI companies, delivered as encrypted records. Leaving aside the fact that “anonymized audio” isn’t necessarily anonymous — as Apple’s Siri eavesdropping case proved — it sounded like Neon’s developers were at least trying.
Sadly, it seems that while they may have gone into this venture with the best intentions, they probably should have paid as much attention to their back-end technology as they did to their marketing.
Soon after Neon’s rise made headlines, the folks at TechCrunch decided to take a closer look, and it didn’t take them long to find a serious, deal-breaking fly in the ointment.
After a short test of the app on Thursday, TechCrunch discovered that the servers on which the data was stored were woefully insecure, allowing any logged-in user to access anyone else’s stored data.
It didn’t take much more digital excavation to discover that Neon’s servers would happily serve up a list of all recent calls made by any user, complete with publicly accessible web links to raw audio files and transcripts. The metadata was also readily accessible, including the phone numbers of both parties, the time the call was made, and its duration.
TechCrunch created a new user account on a dedicated iPhone and verified a phone number as part of the sign-up process. We used a network traffic analysis tool called Burp Suite to inspect the network data flowing in and out of the Neon app, allowing us to understand how the app works at a technical level, such as how the app communicates with its back-end servers.
After making some test phone calls, the app showed us a list of our most recent calls and how much money each call earned. But our network analysis tool revealed details that were not visible to regular users in the Neon app. These details included the text-based transcript of the call and a web address to the audio files, which anyone could publicly access as long as they had the link.
Zack Whittaker and Sarah Perez, TechCrunch
In other words, if you made a call through Neon, anybody with an account on the service would be able to download an exact audio recording and transcript of everything you said, with relatively little effort.
The only barely visible silver lining here is that Neon did appear to stick to its claim that it only recorded its own users’ side of the conversation. Most files were one-sided recordings — except in cases where both participants were using Neon.
TechCrunch promptly alerted the company’s founder, Alex Kiam, to the flaw. He quickly shut down the app’s servers and notified users that the app was being paused, and it stopped functioning soon after. However, his email — seen by TechCrunch — made no mention of the security lapse, instead framing the pause as a proactive privacy move:
Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth. Because of this, we are temporarily taking the app down to add extra layers of security.
Email from Neon founder Alex Kiam, via TechCrunch
For now, the shutdown appears to be voluntary, with no sign that Apple has stepped in. Kiam declined to answer questions about whether Neon had undergone any security reviews before launch or whether the company has the technical means to determine if data was stolen.
While we’ll give Kiam and his colleagues the benefit of the doubt that they were starting out with good intentions, this incident underscores the risks of trusting your data to little-known apps. Building secure infrastructure is hard, and not every developer has the skills or resources to do it right — leaving your personal information exposed if you’re not careful about who you entrust it to.
