Comment by crote
2 hours ago
Alternatively: don't add inherently-unsafe functionality which requires attestation in order to have a veneer of "safety".
As media piracy and game cheating has shown: no matter how hard you try, there will always be ways around it. You should assume that 3rd-party device you have zero control over is already compromised, so why not use the API as the boundary layer, stop pretending you can secure the app, and open it up to 3rd-party access like it already is in practice?
Yeah, in the case at hand it's quite silly anyway. We have a VW car and the primary things you can do with the app is check the charging state, stop charging, and turn on the heating/airco.
Unless I overlook something, the worst attack vector for a compromised phone is: you could drain the battery by repeatedly turning on the airco.
Though I guess they are rolling out phone-based car keys, which may be the incentive.