- The Neon app offered cash for recordings of your phone calls
- These were sold to AI firms in order to train their algorithms
- It’s been taken offline after a huge security flaw exposed users’ recordings
How do you like the sound of an app that records your phone calls and sells all those private conversations to artificial intelligence (AI) companies? Sure, you might get paid a little in return, but is that worth the enormous privacy risk?
Well, it turns out the answer is a resounding ‘no’ because the viral app in question – dubbed Neon Mobile – has been taken offline after it was revealed that anyone could access the phone numbers, transcripts and actual phone call recordings of any other user of the service. Worst of all, the data breach could be performed with the most trivial of tools and the barest modicum of effort, suggesting the app’s security measures were woefully inadequate.
The vulnerability was discovered and reported by TechCrunch. The news outlet explained that it created a new account to test Neon’s functionality, then started using a network analysis tool called Burp Suite to peer into the app’s network traffic. While Neon showed the TechCrunch reporters a list of their calls and how much money each one earned, Burp Suite revealed far more information.
That included text transcripts of each call and web links to the recordings. This information could apparently be accessed by anyone with the correct link, meaning it was essentially open to all and sundry.
But the reported vulnerability was not just limited to your own hidden data – you could seemingly do so for any other user. TechCrunch found that Neon’s servers could produce a list of the most recent calls made by all of its users, as well as publicly available links to the corresponding recordings and transcripts.
Metadata of each call was also accessible, including phone numbers, call date and duration, and more. In other words, it was a near-total free-for-all of private recordings and conversations.
A privacy disaster
TechCrunch alerted Alex Kiam, Neon’s founder, about the flaw. Kiam “temporarily” took down the app and emailed Neon’s users. However, Kiam’s mass message made no mention of the security flaw or the fact that users’ calls were available to be downloaded by anyone with the barest level of technical know-how. Instead, it simply stated that the developer was “taking the app down to add extra layers of security.”
Even before this security breach was revealed, the concept of Neon was questionable. Simply put, the app was a potential privacy nightmare. There was no cast-iron guarantee that your recorded calls would be used securely or kept anonymous, while feeding them into a black box AI algorithm could have all manner of unexpected consequences and potential data risks.
As TechCrunch’s investigation has shown, metadata (including phone numbers) was kept attached to call recordings, meaning it would be trivial to personally identify the callers and the private matters they were discussing.
What’s more, Neon apparently did not alert any call participant that their words were being recorded, raising the question of whether anyone was asking permission for this.
Such a system could also be ripe for abuse – something that TechCrunch seemingly confirmed. The outlet said it discovered lengthy calls that appeared to “covertly record real-world conversations with other people in order to generate money through the app.” It’s doubtful those people who were secretly recorded knew that was the case, opening yet another privacy can of worms.
There’s no hint as to when – or if – Neon will come back online, but it’s likely that Apple and Google are taking a keen interest in proceedings. Whether they’ll allow it to return to their app stores remains to be seen, but it doesn’t seem to align very well with the pro-privacy messages both companies like to push.
