TL;DR — Key Takeaways
- Neon exposed user data via weak API security
- The fast-growth of the app revealed security weaknesses
- Mobile app security testing finds flaws before they’re published
A viral new call recording app, called Neon, offered users cash for their conversations to train AI models. But after a security flaw was discovered that allowed anyone to access the phone numbers, call recordings, and transcripts of any other user, the app has gone offline.
This isn’t just a one-off. It’s the pattern we keep seeing when mobile apps chase growth without building security into the core.
At a glance: What went wrong with Neon’s security
Based on the information available, we’ve identified key occurrences:
- Overly permissive access control: Neon’s backend APIs did not enforce strict access restrictions. As TechCrunch’s investigation revealed, any logged-in user could access transcripts, audio file URLs, and metadata belonging to other users.
- Insufficient server‑side validation: The app’s front end seemed to limit visibility to a user’s own data, but users could bypass those constraints via network tools. The backend didn’t properly vet requests to ensure they were for the correct user.
- Unsecured data endpoints: The system exposed raw audio files and transcripts via publicly accessible links (or links that could be inferred) without adequate authentication safeguards.
Lessons for app developers and startup apps
Neon’s vulnerability isn’t just a warning for fast-growing apps, it’s a red flag for any mobile app handling sensitive user data, especially audio, PII, transcripts, or anything AI‑adjacent. Here are key takeaways:
- Publicly accessible = publicly exploitable. Serving transcripts or audio files via unprotected URLs (even if “hard to guess”) is a ticking time bomb. Sensitive assets must be gated behind secure, expiring access tokens with strict audit logging.
- Security must be scalable from the start. Even in proof-of-concept or early user phases, foundational security (strong auth, encryption, minimal permissions) should be in place. Once users, data, and growth scale, retrofitting security is expensive, risky, and prone to failure.
- Mobile app security testing is essential. App developers should conduct penetration testing and threat modeling to find gaps before launch, including simulating credential or parameter tampering.
How Quokka helps organizations secure mobile apps
The Neon incident is exactly the kind of vulnerability that Quokka’s mobile app risk intelligence is built to prevent.
For mobile apps organizations build
Q-mast, our automated mobile app security testing solution, built for teams that need deep visibility, operational speed, and strong compliance.
-
- Comprehensive testing: Analysis of compiled app binary using SAST, DAST, IAST, and forced-path execution app analysis
- Scans in minutes. No source code needed: Analysis of compiled app binary, regardless of in-app or run-time obfuscations
- SBOM generation & analysis: SBOM analysis for vulnerability reporting to specific library version, including embedded libraries
- Aligns with industry standards: Checks against privacy & security standards from NIAP, NIST, OWASP MASVS, CVEs, and SARIF
For mobile apps enterprises use
Q-scout is Quokka’s mobile app vetting solution. It seamlessly integrates with MDMs, giving security teams real-time visibility into the mobile apps—and associated threats—installed across MDM-managed devices. App inventories are automatically ingested into Q-scout and continuously updated, allowing each app to be analyzed for security and privacy risks as soon as it is added, updated, or removed.
If you are building or evaluating mobile apps that handle sensitive data, relying on traditional security checklists isn’t enough. Quokka embeds continuous, data-driven insight into your lifecycle, giving developers the ability to anticipate, detect, and remediate vulnerabilities before they become headlines. To learn more about Quokka, request a demo.
