In late September 2025, the Neon app rose to second place in popularity in the Apple App Store. It paid users for recording their phone calls and sold the data to AI companies. However, a vulnerability was soon discovered in Neon that allowed anyone to access users’ phone numbers, call recordings, and conversation transcripts.
The official Neon Mobile website states that the company pays 30 cents per minute for calls to other Neon users, as well as up to $30 per day for calls to other people. The app also offered rewards for referring new users. The app’s developers sell the collected data to AI companies, since the calls help train, improve, and test AI models.
According to Appfigures statistics, on September 24, 2025 alone, Neon was downloaded more than 75,000 times, so it’s no surprise it made the top 5 apps in the Social Networking category in the U.S. App Store.
However, as TechCrunch reports, the app was soon temporarily taken offline, and it’s unclear when Neon will be up and running again.
The vulnerability in the app was discovered by TechCrunch journalists themselves during a brief test. The issue was that Neon’s servers did not restrict authorized users’ access to data from other accounts.
Journalists created a new account on a separate iPhone, verified their phone number, and used the Burp Suite network traffic analysis tool to understand how Neon interacts with its servers.
After several test calls, the app displayed a list of recent calls and how much each one earned the user. Meanwhile, analysis of the network traffic revealed text transcripts of the conversations, as well as web addresses of the call audio files that could be opened with nothing more than the link. The screenshot below shows a fragment of the transcript of a test call between two TechCrunch journalists confirming that the recording works.
The problem was compounded by the fact that Neon’s servers allowed access to other users’ call recordings and transcripts. In several cases, researchers were able to obtain data about users’ most recent calls, including links to audio files and text transcripts (only Neon users were recorded, not the people they were speaking with).
Moreover, the app’s servers allowed retrieving a list of any user’s recent calls along with all metadata: the phone numbers of both parties, the time and duration of the call, as well as the amount earned for recording the conversation. Journalists note that reviewing several recordings showed that Neon users were calling real people and secretly recording the conversations to earn money through the app.
Researchers reported this alarming discovery to the app’s founder, Alex Kiam. After that, Kiam, who had previously not responded to the outlet’s inquiries, took Neon’s servers offline and began notifying users about the suspension of the app. The message did not mention the discovered vulnerability that made phone numbers, recordings, and call transcripts accessible to anyone.
“The privacy of your data is our top priority. We want to ensure it’s fully protected even during a period of rapid growth. Therefore, we are temporarily shutting down the app to add additional layers of security,” the notification read.
Neon’s developers did not answer reporters’ question about whether the app underwent a security review before launch. It is also unknown whether the company has the technical means (for example, logs) to determine whether anyone else discovered this vulnerability and whether user data was stolen.
TechCrunch notes that it’s unclear when Neon will be up and running again, and whether app store moderators will take notice of the incident. Representatives for Apple and Google did not respond to the publication’s request for comment or to questions about whether Neon complies with their platforms’ rules.