Comment by anonymousiam
11 hours ago
If they have concerns about the security of their app on some platform, they have the choice to either put "security" into the app, or to trust the platform vendor to provide the security. The correct solution is the first way. Deferring trust to the platform provider is the lazy way.
If their APIs are done correctly, they shouldn't be afraid to expose them.
You're proving the previous commenter's point. VW doesn't want liability. They do not care about "security" just liability.
When they leave the "security" to the platform they can blame them in a lawsuit.
Google has a pretty good legal team. Their developer ToS that absolves them of any sort of liability for anything. So this means VW is just being lazy and not seeking legal protection.
https://play.google/developer-distribution-agreement.html
>Their developer ToS that absolves them of any sort of liability for anything.
This is... obviously not true?
If you could (somehow) meaningfully damage a car via the app, do you think VW wouldn't be liable because of the Google Play developer ToS?
> VW is just being lazy
Maybe they rather be lazy and be able to shift blame, even without much legal recourse.
How else would you build "security" into the app (in the sense of not allowing third-party modifications of it that would open them up to liability), except relying on hardware attestation that the app has not been modified? That attestation necessarily requires the platform provider to be involved.
Volkswagon has no jurisdiction over how I manage my fob, which is the client for the vehicle's unlock and start API. Once you hand a bearer token to me that governs full access to the vehicle, including the accelerator and steering wheel, it's not your job to babysit whether I chose to use it while drunk or hand it over to someone else.
You don't, the app runs on a user-supplied device. They should secure the part that runs on the car and consider the interface between the app and the api to be a user interface.