Neon, a viral iPhone app that pays users to record and share phone call audio with AI companies, has been forced offline after a severe security lapse exposed sensitive user data, including phone numbers, call transcripts, and audio files.
The app, which launched last week, quickly surged into the top five free iPhone apps and recorded over 75,000 downloads in a single day, according to Appfigures. Neon marketed itself as a way for users to monetize everyday phone calls by contributing recordings to help train and test artificial intelligence models.
However, TechCrunch discovered a flaw that allowed any logged-in user to access other users’ data. Using a network analysis tool, reporters found that Neon’s back-end servers were not properly restricting access, meaning transcripts, audio files, and call metadata could be retrieved without authorization. This exposed sensitive details such as phone numbers, call durations, and earnings from the app.
In some cases, users appeared to be making lengthy calls that secretly recorded real-world conversations, raising additional concerns about consent and privacy.
After being alerted to the issue, Neon’s founder Alex Kiam confirmed the app had been taken offline to “add extra layers of security.” In an email to users, the company stated:
“Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth.”
Notably, the message did not disclose the full extent of the breach, including that private call data had been exposed.
It remains unclear when or if Neon will return to app stores, or whether Apple and Google will investigate its compliance with developer guidelines. Both platforms have previously hosted apps with major privacy lapses, including the Tea dating app, which leaked government IDs, and dating apps like Bumble and Hinge, which exposed user locations.
Related:Call-Recording App Neon Mobile Climbs App Store Charts Amid Privacy Concerns
Kiam has not confirmed whether Neon underwent a formal security review before its launch, nor whether any data logs exist to determine if malicious actors accessed user information before the flaw was discovered.
Meanwhile, venture capital firms Upfront Ventures and Xfund, which Kiam claimed backed the app, have not commented on their involvement.
The Neon incident underscores the growing risks of viral apps monetizing sensitive user data without robust safeguards, a reminder that rapid growth often comes at the expense of security.
