Thousands of users’ phone numbers, call recordings, and transcripts were exposed due to a glaring security flaw—raising serious questions about app store oversight and data ethics.
A Fast-Rising App With a Dangerous Flaw
Neon, a viral call-recording iPhone app that promised users cash for their phone call data, has gone offline after TechCrunch discovered a critical security vulnerability that exposed sensitive user information.
- The app had skyrocketed into the top five free iOS apps shortly after launch, with 75,000 downloads in a single day.
- Neon offered to pay users for recording their phone calls, which would then be sold to AI companies for training purposes.
But under the hood, the app was wide open.
Exposed: Recordings, Transcripts, Phone Numbers
Using standard testing tools, TechCrunch found that any Neon user could access:
- Other users’ call recordings
- Full transcripts of those calls
- Phone numbers of both the caller and recipient
- Call metadata, including timestamps, duration, and how much each call earned
This data could be accessed simply by inspecting the app’s server communications, with no meaningful access controls in place.
One JSON response showed a transcript: “Uh, it worked. Hooray. Okay. Thanks, mate.” — a test call between two TechCrunch reporters.
More alarmingly, server queries could return calls and transcripts from unrelated users, raising the likelihood that real conversations were being covertly recorded and monetized without the other party’s knowledge.
Founder Responds — But Doesn’t Disclose the Breach
After being contacted by TechCrunch, Neon’s founder Alex Kiam quickly took the app offline and emailed users.
- In the email, Kiam claimed the shutdown was due to rapid growth and a need to “add extra layers of security.”
- However, the message did not disclose the security breach, nor mention that user data had been publicly exposed.
Kiam also did not answer key questions about:
- Whether the app underwent any formal security review
- If it has logs to determine if others found the flaw first
- Whether data was accessed or exfiltrated by bad actors
A Business Model Ripe for Abuse
Neon’s premise—to pay users for call data—was already controversial.
- While the app only records the user side of the conversation, it’s unclear if those being called are informed or consent to the recording.
- Some transcripts revealed lengthy, real-world conversations that appear to have been recorded without the other person’s awareness.
This raises significant privacy and ethical concerns, especially given that audio recordings and transcripts were publicly accessible with minimal effort.
App Store Oversight Under Scrutiny
So far, Apple and Google have not commented on whether Neon violated developer guidelines. But the incident adds to a growing list of high-profile app store failures, including:
- Tea (2025) — which leaked user IDs and personal documents
- Bumble and Hinge (2024) — which exposed user locations
- Numerous malicious apps regularly slipping through app reviews
Neon’s failure suggests basic security auditing may not have occurred prior to launch—despite its viral success.
Investor Silence and the Road Ahead
Kiam claims in a LinkedIn post that Upfront Ventures and Xfund backed Neon, but neither firm has responded to TechCrunch’s requests for comment.
With trust shattered and sensitive user data already exposed, it’s unclear:
- If Neon will return to the App Store
- Whether it will face regulatory scrutiny or lawsuits
- Or if it can regain public trust at all
