Bugging app Neon revealed everything: Offline
"Neon - Money Talks" became instantly popular because it promised money for recorded phone calls. But these ended up freely on the net.
(Image: cira.ca)
“Neon - Money Talks” was the fourth most installed application on iPhones in the US last week, ahead of Google and Whatsapp. This was solely due to the money: Neon records phone calls initiated using the app and pays out 15 US cents per minute. According to the operator, the recordings are then sold on for artificial intelligence training, stripped of personal data. Neon is now offline because the recordings, including transcripts and user identities, have all ended up online.
This is explicitly not a violation of the terms of the contract, in which the operating company Neon Mobile, Inc. reserves the right to publicly display all recordings, make them available for public access, and create derivative works. However, this is a violation of the company's own business model: operators of large AI companies have no qualms about using third-party works from the internet without a licence. If the Neon recordings are freely available online, such people have no incentive to pay for them. This means that Neon Mobile could not distribute them.
Techcrunch uncovered the problem during a brief test of the app. It was enough to install the app to gain access to the entire cloud storage of all participants. When the recordings were transferred, their transcribed text and the URL of the audio file were apparently transferred in plain text, which any user of the app could read with a network sniffer. Anyone who knew the URL could access it with any web browser, without password protection.
By slightly changing the web address, Techcrunch was able to retrieve the most recent recordings of all Neon participants. Even the metadata, including the telephone numbers involved and the amounts paid out, were freely available. The journalists informed Neon founder Alex Kiam, who then took his servers offline. “We are taking the app offline temporarily to add additional layers of security,” he told his users. He made no reference to the disclosure of their data and recordings.
Quadruple distribution with full duplex
In order not to violate legal interception bans, Neon only records the local sound from the mobile phone itself, not the sound of the person on the other end of the line, according to its description. Neon Mobile only receives the full call if both call partners are Neon subscribers. Because this is much more meaningful, each of the participants then receives 30 cents per minute.
Videos by heise
The app is still listed in the US app stores of both Apple and Google. Neon's contract clauses are a legal minefield for subscribers.
(ds)
