TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Giving 3rd party apps credentials to your Tesla Account?

Discussion in 'Model 3: User Interface' started by QS01, Nov 27, 2019.

  1. QS01

    QS01 Member

    Joined:
    Nov 25, 2019
    Messages:
    102
    Location:
    US
    I'm curious as to the communities thoughts on giving 3rd party apps access to your Tesla account -- Like the TeslaFI and Stats for Tesla iOS apps... Are most people comfortable with this or not? I'm leaning towards the 'not' phase as it seems it gives a LOT of access.
     
  2. jjrandorin

    jjrandorin Moderator, Model 3, Tesla Energy Forums

    Joined:
    Nov 28, 2018
    Messages:
    5,800
    Location:
    Riverside Co. CA
    They use it to generate a 'token" to access the car for the data. You can generate the token yourself if you are technically minded. You can also invalidate the token by changing your account password. Its definitely something to consider though, in todays "cyber security" concerns.
     
  3. QS01

    QS01 Member

    Joined:
    Nov 25, 2019
    Messages:
    102
    Location:
    US
    From a cyber security perspective -- if it's ONLY a security token that's generated AND it's only the device I'm using that goes and makes the call to Tesla I'm probably fine with it... If their back-end servers are doing it on my behalf -- I'm probably not. Hmm.
     
  4. jjrandorin

    jjrandorin Moderator, Model 3, Tesla Energy Forums

    Joined:
    Nov 28, 2018
    Messages:
    5,800
    Location:
    Riverside Co. CA
    On a completely separate side note, I would tell you that its my personal opinion that it is NOT a good thing for a new owner to do to sign up for stats / teslafi etc. Not because of cyber security concerns, but because all the data tends to overwhelm people and make them concerned about minute details that do not matter that much.

    Its much better to have a couple of months under your belt, figuring out how the car works etc. We see tons of posts here by relatively new owners saying something like "I have had my car a couple weeks / a month / a few days and I am concerned about XXXX . Teslafi shows..... or "Stats app shows....".

    my unsolicited .02.
     
    • Like x 1
  5. camalaio

    camalaio Active Member

    Joined:
    May 28, 2019
    Messages:
    1,381
    Location:
    Vernon, BC, Canada
    I've been drafting a post on this topic for a while (notes here and there). In summary: Heck no. I'll save the details for my full PSA post for now.

    The token and session are not immediately invalidated on password changes. I had it work for weeks after both a password and email change. Their account session practices are simply not ideal.
     
  6. jjrandorin

    jjrandorin Moderator, Model 3, Tesla Energy Forums

    Joined:
    Nov 28, 2018
    Messages:
    5,800
    Location:
    Riverside Co. CA
    Whats "it" in your post of "had IT work for weeks"? The OPs post was on the general topic of 3rd party apps, and my response was regarding said apps that I have experience with (teslafi and stats) both of which stopped working when I changed my account password.

    Not asking for your PSA post in this thread, just curious what the "IT" is that you are talking about.
     
  7. camalaio

    camalaio Active Member

    Joined:
    May 28, 2019
    Messages:
    1,381
    Location:
    Vernon, BC, Canada
    The token. FWIW the official Tesla app continued to work for the same amount of time without requiring me to sign back in. I'm not sure if this is an intentional feature, a bug, or something yet to be done on the roadmap.
     
  8. jjrandorin

    jjrandorin Moderator, Model 3, Tesla Energy Forums

    Joined:
    Nov 28, 2018
    Messages:
    5,800
    Location:
    Riverside Co. CA
    Ok... but we were not talking about the official tesla app and its token. We were talking about third party apps in this thread. I thought you were saying that third party apps did not have their token invalidated by changing passwords on your official tesla account, and that did not match my experience at all, nor anyones experience I have read about here.

    The official tesla account I have never tested, nor tried to invalidate its token from. Interesting information but different than the thread topic imo.
     
  9. camalaio

    camalaio Active Member

    Joined:
    May 28, 2019
    Messages:
    1,381
    Location:
    Vernon, BC, Canada
    Perhaps I should have explained that I'm no stranger to APIs like this, and that it makes no difference if I use the token myself or give it to an app. I used the token directly with my own scripts, no third party app. Whether the token "belongs" to an app or myself makes no difference because there simply is no difference in terms of token invalidation on password change. If an app used a token instead of my own scripts, it would have also been able to use it after I changed my password.
     
  10. jjrandorin

    jjrandorin Moderator, Model 3, Tesla Energy Forums

    Joined:
    Nov 28, 2018
    Messages:
    5,800
    Location:
    Riverside Co. CA
    Noted.

    Just mentioning that, for the purposes of this thread, I have owned both the stats application and teslafai, and performed a password change. For both, It appeared to me that they stopped working, but while I can generate my own token, I am not as versed as you in the subject.
     
  11. DopeGhoti

    DopeGhoti Active Member

    Joined:
    Aug 28, 2019
    Messages:
    1,168
    Location:
    Phoenix, AZ
    I use an open-source, self-hosted software suite that does essentially what TeslaFi and TeslaScope do. If I'm putting my car's credentials into something, it's going to be something in which I can audit the code personally. The amount of information you can get from these tools is amazing, but you do have to balance that against your own security. Theoretically, someone who has access to a valid API token for your account could issue the same "let someone drive off without a key" command the OEM App uses, and use that to make off with your car, or track your car's location as a means to stalk you, or know when you're not home to facilitate a burglary. So I go self-hosted.
     
  12. camalaio

    camalaio Active Member

    Joined:
    May 28, 2019
    Messages:
    1,381
    Location:
    Vernon, BC, Canada
    @jjrandorin Figured today is a good a time as any, here it is: PSA: Don't use third-party apps and services, period.

    I like this approach. It's incredibly hard to fully and independently audit a codebase, but this is also likely a fairly simple thing to audit.
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC