Neon, a viral new app that was going to pay users to record phone calls has been removed offline after a critical security vulnerability was disclosed to reveal sensitive user data. The application that soon topped the list of the top five free iPhone applications in just a week after its launch was downloaded 75,000 times in one day.
Neon was positioned as an opportunity of users to make money by sharing recording of calls that were utilized to train and enhance the AI models. The rapid growth of the platform was, however abruptly dropped, when researchers found out that the platform had an open door, which allowed any person to get the phone numbers, audio recordings, and transcripts of other users.
User Data is Exposed to a Critical Security Flaw
This bug was discovered by TechCrunch in the process of testing the application. The security audit showed that the Neon backend servers failed to limit access appropriately so that any user that is logged in can access the data of other users.
Through network analysis, researchers could get detailed call transcripts and direct access to audio files, all of which were publicly available provided one knew the URL. Worse still, the servers might expose metadata of the users of their calls, such as the phone numbers of users, time of calls, duration of calls, and their earnings.
Other videos suggested that users were secretly recording live conversations in the real world to sell it to the app and this brings other ethical and legal issues.
App Pulled Down Post Exposure
After the discovery, TechCrunch contacted the founder of Neon, Alex Kiam, who not only shut down the servers of the app but also informed the users that it is under temporary suspension. According to an email to the customers, Kiam wrote:
The first priority we have is to protect your data privacy, and we wish it to be completely secure even at this time of a blistering growth. Due to this fact, we are temporarily shutting down the app in order to introduce additional security measures.
Nevertheless, the company did not reveal that there was a security breach or that user information was revealed. Whether or when the app will be reintroduced is not known and whether investigations by either Apple or Google will be triggered by the incident still remains uncertain.
A Trend of Lapses in Security of Popular Applications
The data breach of neon reveals one of the common issues in the security of mobile apps. In spite of those strict developer guidelines, the apps that contain serious vulnerabilities do make it to the mainstream marketplace.
In January this year, Bumble and Hinge, two dating apps, were discovered to be leaking location information of their users, whereas Tea application was revealing sensitive personal details, such as government-issued IDs. These cases make one wonder the efficiency of the app review process in the key platforms.
It is also not known, whether Neon had any formal security audits before its launch or whether the company can know whether any other party had taken advantage of the vulnerability prior to its discovery.
Silence among investors and Uncertainty about the future
The founder of Neon states that Upfront Ventures and Xfund venture capital companies were involved in the startup, although both companies did not reply to the questions regarding the breach. In the meantime, the users are unsure about the security of their information and the future of the app.
The sudden popularity and equally sudden decline of Neon is a warning of the dangers of using new applications that gather personal information. Although the idea of monetizing the data of phone calls to power the development of AI is new, the application underscores the fact that insufficient security practices can destroy trust in users within a short period of time.
No one is certain about the future of Neon, as long as it cannot prove that it possesses more protections and transparency, and its users will not be willing to trust similar sites.
