True - but the vector here would be to spoof Tesla's service endpoints that the app talks too and use a MITM proxy. Luckily, all this is mitigated by a lot of clever handshaking between the App, Tesla's services, and the car. (see this: I decompiled the Tesla Android app and poked around a bit...