There is the risk of a brute force attack. But Tesla would notice that. Other than that, no.
If the Tesla API was reverse-engineered via a MtM, then yes, your iOS app is open to a MtM attack that can easily happen on any public WiFi.
I have NOT verified this is, in fact, possible. There are other ways that the API could have been reverse-engineered without an MtM depending on how the app is designed and how keys were being handled. However, my understanding is that it was reverse-engineered via MtM.
- - - Updated - - -
Assuming there are no other security issues with Tesla's servers, I am at a bit of a loss as to where the extraordinary risks lie. Here's a few scenarios:
1. Someone steals your auth token. Can be used to get access to the API as you. You say Tesla can't revoke the token, but how do you know they can't? Did you ask them?
I assume Tesla can revoke the token. It would actually be a critical flaw if they could not.
Yo, however, cannot.
Furthermore, you can't know which token to revoke, so all tokens must be revoked.
Look at Twitter, for example (and hardly a shining beacon of security). Let's say you use HootSuite. HootSuite is hacked. You go into your Twitter account and revoke HootSuite's authorization. Done. All in your hands, no impact to all the other tools that need to interact with Twitter.
With Tesla? You call them up, they wipe all current tokens. You then have to go back and re-authorize anything that had been previously authorized.
Also, with the Twitter model, there's full traceability. If something funky is going on, it can be traced to specific authentication credentials for an application. With Tesla, you just know something is wrong, but you likely have no idea what tool is responsible.
2. Lose your username/password. Same risk as any other application. Change your username/password.
No. Using the Twitter example, Twitter is the only site with your Twitter user name/password. Under the Tesla model, every site that needs to access the API must at various points get access to the user name/password.
3. Lose your phone. Better hope you have a strong passcode on it and it's not vulnerable to any one of the hard-hacks that get you access to it. Or are able to remote-wipe the device.
If the MtM reverse-engineering story is true, the iPhone app is a walking vulnerability.
- - - Updated - - -
All I understand from this entire debate is that razor blades for flossing are a bad idea.
The important thing to know is that no one actually flosses with razor blades.
On the other hand, people regularly share their authentication credentials with (often reputable) third-party sites to gain access to value-add functionality. The architecture of the Tesla API ignores this reality and is thus flawed.