- The neon application offered money for records of your phone calls
- These were sold to IA companies to train their algorithms
- It was taken offline after a huge security defect exposed user records
How do you like the sound of an application that records your phone calls and sells all these private conversations to artificial intelligence companies (AI)? Of course, you could be paid a little in return, but is it worth the enormous risk of intimacy?
Well, it turns out that the answer is a resounding “ non ” because the viral application in question – nicknamed Neon Mobile – has been removed after being revealed that anyone could access phone numbers, transcriptions and real phone calls for any other user of the service. Worse still, the data violation could be carried out with the most trivial and the smallest minimum effort tools, suggesting that the application security measures were terribly inadequate.
Vulnerability has been discovered and reported by Techcrunch. The media explained that he had created a new account to test Neon’s features, then started using a network analysis tool called Burp Suite to look in the application network. While Neon has shown Techcrunch journalists a list of their calls and how much money everyone has earned, Burp Suite has revealed much more information.
This included the text transcriptions of each call and web links to the recordings. This information was apparently accessible by anyone with the right link, which means that it was essentially open to all and various.
But the reported vulnerability was not limited to your own hidden data – you can apparently do it for any other user. Techcrunch noted that neon servers could produce a list of the most recent calls made by all its users, as well as links accessible to the public to corresponding recordings and transcriptions.
The metadata of each call were also accessible, including telephone numbers, date of call and duration, and more. In other words, it was a free for all private recordings and conversations.
A confidentiality disaster
Techcrunch alerted Alex Kiam, founder of Neon, about the defect. Kiam “temporarily” removed the application and sent an email to Neon users. However, Kiam’s mass message made no mention of the security flaw or the fact that user calls were available to be downloaded by anyone with the most coemental technical know-how. Instead, he simply indicated that the developer “dropped the application to add additional safety layers”.
Even before the revelation of this security violation, the concept of neon was questionable. In simple terms, the application was a potential confidentiality nightmare. There was no cast iron warranty that your recorded calls would be used safely or kept anonymous, while feeding them in an IA algorithm of black box could have all kinds of unexpected consequences and risk of potential data.
As the Techcrunch survey has shown, metadata (including telephone numbers) have been kept attached to call recordings, which means that it would be trivial to personally identify the appellants and the private questions they discussed.
In addition, Neon apparently alerted any participant in the call that their words were recorded, which raises the question of whether someone asked for permission for this.
Such a system could also be ripe of abuse – something that Techcrunch has apparently confirmed. The point of sale said that it had discovered long calls that seemed to “secretly record real conversations with other people in order to generate money via the application”. It is doubtful that the people who were secretly recorded knew that it was, opening another can of worms.
There is no clue at the moment when – or if – will not come back online, but it is likely that Apple and Google are strongly interested in the procedure. It remains to be seen if they will allow him to return to the application stores, but that does not seem to be aligning very well on the pro-Privileges messages that the two companies like to push.
