| TechCrunch techcrunch.com
Zack Whittaker
Sarah Perez
2:10 PM PDT · September 25, 2025
Call recording app Neon was one of the top-ranked iPhone apps, but was pulled offline after a security bug allowed any logged-in user to access the call recordings and transcripts of any other user.
A viral app called Neon, which offers to record your phone calls and pay you for the audio so it can sell that data to AI companies, has rapidly risen to the ranks of the top-five free iPhone apps since its launch last week.
The app already has thousands of users and was downloaded 75,000 times yesterday alone, according to app intelligence provider Appfigures. Neon pitches itself as a way for users to make money by providing call recordings that help train, improve, and test AI models.
But Neon has gone offline, at least for now, after a security flaw allowed anyone to access the phone numbers, call recordings, and transcripts of any other user, TechCrunch can now report.
TechCrunch discovered the security flaw during a short test of the app on Thursday. We alerted the app’s founder, Alex Kiam (who previously did not respond to a request for comment about the app), to the flaw soon after our discovery.
Kiam told TechCrunch later Thursday that he took down the app’s servers and began notifying users about pausing the app, but fell short of informing his users about the security lapse.
The Neon app stopped functioning soon after we contacted Kiam.
Call recordings and transcripts exposed
At fault was the fact that the Neon app’s servers were not preventing any logged-in user from accessing someone else’s data.
TechCrunch created a new user account on a dedicated iPhone and verified a phone number as part of the sign-up process. We used a network traffic analysis tool called Burp Suite to inspect the network data flowing in and out of the Neon app, allowing us to understand how the app works at a technical level, such as how the app communicates with its back-end servers.
After making some test phone calls, the app showed us a list of our most recent calls and how much money each call earned. But our network analysis tool revealed details that were not visible to regular users in the Neon app. These details included the text-based transcript of the call and a web address to the audio files, which anyone could publicly access as long as they had the link.
For example, here you can see the transcript from our test call between two TechCrunch reporters confirming that the recording worked properly.
a JSON response from Neon Mobile's server, which reads as transcript text from a call between two TC reporters, which says: "Uh, it worked. Hooray. Okay. Thanks, mate."
Image Credits:TechCrunch
But the back-end servers were also capable of spitting out reams of other people’s call recordings and their transcripts.
In one case, TechCrunch found that the Neon servers could produce data about the most recent calls made by the app’s users, as well as providing public web links to their raw audio files and the transcript text of what was said on the call. (The audio files contain recordings of just those who installed Neon, not those they contacted.)
Similarly, the Neon servers could be manipulated to reveal the most recent call records (also known as metadata) from any of its users. This metadata contained the user’s phone number and the phone number of the person they’re calling, when the call was made, its duration, and how much money each call earned.
A review of a handful of transcripts and audio files suggests some users may be using the app to make lengthy calls that covertly record real-world conversations with other people in order to generate money through the app.
App shuts down, for now
Soon after we alerted Neon to the flaw on Thursday, the company’s founder, Kiam, sent out an email to customers alerting them to the app’s shutdown.
“Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth. Because of this, we are temporarily taking the app down to add extra layers of security,” the email, shared with TechCrunch, reads.
Notably, the email makes no mention of a security lapse or that it exposed users’ phone numbers, call recordings, and call transcripts to any other user who knew where to look.
It’s unclear when Neon will come back online or whether this security lapse will gain the attention of the app stores.
Apple and Google have not yet commented following TechCrunch’s outreach about whether or not Neon was compliant with their respective developer guidelines.
However, this would not be the first time that an app with serious security issues has made it onto these app marketplaces. Recently, a popular mobile dating companion app, Tea, experienced a data breach, which exposed its users’ personal information and government-issued identity documents. Popular apps like Bumble and Hinge were caught in 2024 exposing their users’ locations. Both stores also have to regularly purge malicious apps that slip past their app review processes.
When asked, Kiam did not immediately say if the app had undergone any security review ahead of its launch, and if so, who performed the review. Kiam also did not say, when asked, if the company has the technical means, such as logs, to determine if anyone else found the flaw before us or if any user data was stolen.
TechCrunch additionally reached out to Upfront Ventures and Xfund, which Kiam claims in a LinkedIn post have invested in his app. Neither firm has responded to our requests for comment as of publication.
mobile-hacker.com - On June 13, 2025 was disclosed vulnerability in the iOS version of the Air Keyboard app that exposes users to remote input injection over Wi-Fi. The flaw, documented in CXSecurity Report, allows an attacker on the same local network to send keystrokes to a target iOS device without authentication. As of this writing, the app remains available on the App Store and is still affected by the vulnerability. With the report is also published prove of concept python script. In this blog I will test the exploit, have a look on their Android version of Air Keyboard app and conclude with security tips.
According to its official information, Air Keyboard is an app that turns your mobile device into a wireless keyboard and mouse for your computer. It connects over the local network and sends or receives input to or from a companion desktop application installed on Windows or macOS. The app’s goal is to offer convenient remote control for presentations, media playback, or general PC use, all from your smartphone or tablet.
The vulnerability stems from the iOS app listening on TCP port 8888 for incoming input — without any form of authentication or encryption. A proof-of-concept Python script included in the advisory demonstrates how an attacker can craft data and remotely inject arbitrary keystrokes to the victim’s device. A video demonstration further confirms how trivial the attack is to execute. Because the iOS app does not verify the origin or integrity of the incoming commands, any device on the same Wi-Fi network can send input as if it were the user.
The app remains available on the App Store in this vulnerable state, with no fix or warning issued to users.
Sending private screenshots to an AI-based “wingman” app is probably not the best idea. Who would have thought? Unfortunately, users of FlirtAI - Get Rizz & Dates will have to find out the hard way.
The Cybernews research team recently discovered an unprotected Google Cloud Storage Bucket owned by Buddy Network GmbH, an iOS app developer.
The exposed data was attributed to one of the company’s projects, FlirtAI - Get Rizz & Dates, an app that intends to analyze screenshots that users provide, promising to suggest appropriate replies.
Meanwhile, the app makers leaked over 160K screenshots from messaging apps and dating profiles, belonging to individuals that users of the AI wingman wanted assistance with.
What makes it worse is that, according to the team, leaked data indicates that FlirtAI - Get Rizz & Dates was often used by teenagers, who fed the AI screenshots of their conversations with their peers.
“Due to the nature of the app, people most affected by the leak may be unaware that screenshots of their conversations even exist, let alone that they could be leaked on the internet,” the team said.
After the team noted the company and the relevant Computer Emergency Response Team (CERT), Buddy Network GmbH closed the exposed bucket. We have reached out to the company for a comment and will update the article once we receive a reply.
Trend™ Research uncovered a campaign on TikTok that uses videos to lure victims into downloading information stealers, a tactic that can be automated using AI tools.
Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware.
This report details the observed tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and the potential impact of this trend.
In iOS 18, Apple spun off its Keychain password management tool—previously only tucked away in Settings—into a standalone app called...
After federal police came to an employee’s house to ask questions, encrypted messaging company Session has decided to leave Australia and switch to a foundation model based in Switzerland.
OpenAI updated its ChatGPT macOS app on Friday after users discovered it stored conversations insecurely in plain text.
We analyzed third-party keyboard apps Tencent QQ, Baidu, and iFlytek, on the Android, iOS, and Windows platforms. Along with Tencent Sogou, they comprise over 95% of the market share for third-party keyboard apps in China. This is an FAQ for the full report titled "The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers."
Warning on KIMSUKY Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services
A mandatory app exposed the personal information of students and teachers across the country for over a year.
The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications. Two vulnerabilities were uncovered with the Galaxy App Store application: Technical…
SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.
A family of malicious apps from developer Mobile apps Group are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads.
Older versions of these apps have been detected in the past as different variants of Android/Trojan.HiddenAds. Yet, the developer is still on Google Play dispensing its latest HiddenAds malware.
A report shows four Bluetooth-centered apps by the same developer have been downloaded 1 million times combined while containing malicious code.
New research shows how third-party apps could be exploited to infiltrate these sensitive workplace tools.
Attackers attempted to disrupt ride-hailing app service on Thursday, the company confirmed.
This investigation report contains an applications analysis of 7 different Apple developer accounts (identified so far — maybe there are…
Google researchers said the app was designed to figure out who may want to use this kind of app.
Let's hope nobody lies about what permissions their app uses.
In Ukraine, civilians are valiantly assisting the army via apps—and challenging a tenet of international law in the process.
