A rapidly popular iPhone app that promised users cash for recording their phone calls has been temporarily disabled following the discovery of a critical security vulnerability that exposed thousands of users' personal data, including phone numbers, audio recordings, and conversation transcripts.
Neon, which rocketed to the top five free apps on the iOS App Store shortly after its launch last week, attracted over 75,000 downloads in a single day by offering payments for call audio used to train AI models. The app, developed by Neon Mobile and founded by Alex Kiam, allowed users to earn up to 30 cents per minute for calls to other Neon users or 15 cents for non-users, with a maximum of $30 daily, positioning itself as an easy side hustle amid the AI data boom.
However, TechCrunch uncovered a severe flaw in the app's backend servers during testing on September 25, revealing that any logged-in user could access the call data of others without restrictions. Using network analysis tools, reporters intercepted data flows showing public web links to raw audio files and full text transcripts of calls, alongside metadata such as callers' and recipients' phone numbers, call durations, timestamps, and earnings amounts.
The exposure extended to recent call histories from across the user base, with some transcripts indicating that individuals were covertly recording extended real-world conversations—potentially with unaware friends, family, or colleagues—to maximize payouts. Notably, Neon's system only captured the caller's side of the conversation, a design choice aimed at navigating varying state laws on recording consent, though experts warn it may still violate two-party consent rules in states like California, Florida, and Maryland.
Upon notification from TechCrunch, Kiam promptly shut down the servers, rendering the app non-functional despite it remaining downloadable and listed in app stores. In an email to users, he cited a need to "add extra layers of security" during the app's "rapid growth," emphasizing data privacy as the top priority—but omitted any mention of the breach itself.
Kiam did not disclose whether Neon underwent a pre-launch security audit or if logs exist to detect prior unauthorized access, and investors Upfront Ventures and Xfund have yet to comment.
