Giving 3rd party apps credentials to your Tesla Account?

[QS01]

I'm curious as to the communities thoughts on giving 3rd party apps access to your Tesla account -- Like the TeslaFI and Stats for Tesla iOS apps... Are most people comfortable with this or not? I'm leaning towards the 'not' phase as it seems it gives a LOT of access.

 

[jjrandorin]

They use it to generate a 'token" to access the car for the data. You can generate the token yourself if you are technically minded. You can also invalidate the token by changing your account password. Its definitely something to consider though, in todays "cyber security" concerns.

 

[QS01]

They use it to generate a 'token" to access the car for the data. You can generate the token yourself if you are technically minded. You can also invalidate the token by changing your account password. Its definitely something to consider though, in todays "cyber security" concerns.

From a cyber security perspective -- if it's ONLY a security token that's generated AND it's only the device I'm using that goes and makes the call to Tesla I'm probably fine with it... If their back-end servers are doing it on my behalf -- I'm probably not. Hmm.

 

[jjrandorin]

From a cyber security perspective -- if it's ONLY a security token that's generated AND it's only the device I'm using that goes and makes the call to Tesla I'm probably fine with it... If their back-end servers are doing it on my behalf -- I'm probably not. Hmm.

On a completely separate side note, I would tell you that its my personal opinion that it is NOT a good thing for a new owner to do to sign up for stats / teslafi etc. Not because of cyber security concerns, but because all the data tends to overwhelm people and make them concerned about minute details that do not matter that much.

Its much better to have a couple of months under your belt, figuring out how the car works etc. We see tons of posts here by relatively new owners saying something like "I have had my car a couple weeks / a month / a few days and I am concerned about XXXX . Teslafi shows..... or "Stats app shows....".

my unsolicited .02.

 

[camalaio]

I've been drafting a post on this topic for a while (notes here and there). In summary: Heck no. I'll save the details for my full PSA post for now.

They use it to generate a 'token" to access the car for the data. You can generate the token yourself if you are technically minded. You can also invalidate the token by changing your account password. Its definitely something to consider though, in todays "cyber security" concerns.

The token and session are not immediately invalidated on password changes. I had it work for weeks after both a password and email change. Their account session practices are simply not ideal.

 

[jjrandorin]

I've been drafting a post on this topic for a while (notes here and there). In summary: Heck no. I'll save the details for my full PSA post for now.



The token and session are not immediately invalidated on password changes. I had it work for weeks after both a password and email change. Their account session practices are simply not ideal.

Whats "it" in your post of "had IT work for weeks"? The OPs post was on the general topic of 3rd party apps, and my response was regarding said apps that I have experience with (teslafi and stats) both of which stopped working when I changed my account password.

Not asking for your PSA post in this thread, just curious what the "IT" is that you are talking about.

 

[camalaio]

Whats "it" in your post of "had IT work for weeks"? The OPs post was on the general topic of 3rd party apps, and my response was regarding said apps that I have experience with (teslafi and stats) both of which stopped working when I changed my account password.

Not asking for your PSA post in this thread, just curious what the "IT" is that you are talking about.

The token. FWIW the official Tesla app continued to work for the same amount of time without requiring me to sign back in. I'm not sure if this is an intentional feature, a bug, or something yet to be done on the roadmap.

 

[jjrandorin]

The token. FWIW the official Tesla app continued to work for the same amount of time without requiring me to sign back in. I'm not sure if this is an intentional feature, a bug, or something yet to be done on the roadmap.

Ok... but we were not talking about the official tesla app and its token. We were talking about third party apps in this thread. I thought you were saying that third party apps did not have their token invalidated by changing passwords on your official tesla account, and that did not match my experience at all, nor anyones experience I have read about here.

The official tesla account I have never tested, nor tried to invalidate its token from. Interesting information but different than the thread topic imo.

 

[camalaio]

Ok... but we were not talking about the official tesla app and its token. We were talking about third party apps in this thread. I thought you were saying that third party apps did not have their token invalidated by changing passwords on your official tesla account, and that did not match my experience at all, nor anyones experience I have read about here.

The official tesla account I have never tested, nor tried to invalidate its token from. Interesting information but different than the thread topic imo.

Perhaps I should have explained that I'm no stranger to APIs like this, and that it makes no difference if I use the token myself or give it to an app. I used the token directly with my own scripts, no third party app. Whether the token "belongs" to an app or myself makes no difference because there simply is no difference in terms of token invalidation on password change. If an app used a token instead of my own scripts, it would have also been able to use it after I changed my password.

 

[jjrandorin]

Perhaps I should have explained that I'm no stranger to APIs like this, and that it makes no difference if I use the token myself or give it to an app. I used the token directly with my own scripts, no third party app. Whether the token "belongs" to an app or myself makes no difference because there simply is no difference in terms of token invalidation on password change. If an app used a token instead of my own scripts, it would have also been able to use it after I changed my password.

Noted.

Just mentioning that, for the purposes of this thread, I have owned both the stats application and teslafai, and performed a password change. For both, It appeared to me that they stopped working, but while I can generate my own token, I am not as versed as you in the subject.

 

[DopeGhoti]

I use an open-source, self-hosted software suite that does essentially what TeslaFi and TeslaScope do. If I'm putting my car's credentials into something, it's going to be something in which I can audit the code personally. The amount of information you can get from these tools is amazing, but you do have to balance that against your own security. Theoretically, someone who has access to a valid API token for your account could issue the same "let someone drive off without a key" command the OEM App uses, and use that to make off with your car, or track your car's location as a means to stalk you, or know when you're not home to facilitate a burglary. So I go self-hosted.

 

[camalaio]

@jjrandorin Figured today is a good a time as any, here it is: PSA: Don't use third-party apps and services, period.

I use an open-source, self-hosted software suite that does essentially what TeslaFi and TeslaScope do. If I'm putting my car's credentials into something, it's going to be something in which I can audit the code personally. The amount of information you can get from these tools is amazing, but you do have to balance that against your own security. Theoretically, someone who has access to a valid API token for your account could issue the same "let someone drive off without a key" command the OEM App uses, and use that to make off with your car, or track your car's location as a means to stalk you, or know when you're not home to facilitate a burglary. So I go self-hosted.

I like this approach. It's incredibly hard to fully and independently audit a codebase, but this is also likely a fairly simple thing to audit.