Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

PSA: Don't use third-party apps and services, period.

How do you use Third-Party Apps/Services?

  • I used to use them, and I will continue to do so

    Votes: 148 39.8%
  • I used to use them, but now I will probably stop (and change my password!)

    Votes: 30 8.1%
  • Will use them at some point in the future, despite non-ideal circumstances

    Votes: 9 2.4%
  • Never used 'em, won't use them until Tesla supports them better

    Votes: 86 23.1%
  • Never used 'em, never will

    Votes: 99 26.6%

  • Total voters
    372

camalaio

Active Member
May 28, 2019
1,483
2,188
Vernon, BC, Canada
Introduction

Hello. I'm a software developer and tester. In past occupations, I've used, tested, and partially developed authentication and accounts services for various web-based applications. I am by no means a security expert and you should take my words with a hefty grain of organic fair trade Pacific ocean sea salt.

There are many third-party apps/services that can interact with your Tesla. These offer control and logging for your vehicle that the official Tesla app does not, and can indeed be extremely useful. To name the most popular purely for familiarity, you have "TeslaFi" and "Stats For Tesla" for example.

Read the bolded points if you just want to skim, I know I'm a wordy person and I apologise.

Some Terminology
  • App or Service: The thing that has access to or controls your Tesla in some way
  • Token: A sort of generated password that isn't your actual password, but is used like it
  • API: The thing that the App or Service "talks" to in order to get info or interact with your Tesla
What Third-Party Apps Ask For, and Why it's Not OK

Third party apps currently have two methods for you to provide access to your vehicle:
  1. Basic: You give your email and password to the app
  2. Advanced: You generate a token using the API, and give that token to the app
Not every service offers the token/advanced method.

In the case of Option 1, the service will use your credentials to ask the API for a token, and use that to get info from your car and control it with the API.

The problem with this is that the vast majority of people will go with Option #1 even if presented with both options. This is problematic because your password (which you probably use elsewhere, be honest) is being given to a stranger. As a Tesla owner, you're more likely to be a well-off individual with perhaps some smart home functionality, generally technically integrated with many online accounts, have a decent amount of money somewhere, etc. If I'm looking for an easy way to get highly valuable usernames and passwords, this is a fantastic source. You should never give passwords to strangers.

Whether it is the current providers or an eventual acquirer of the company behind the service, it is likely that there are third party Tesla services out there that exist mostly to obtain credentials for nefarious purposes.

Given this, token authentication is much better, if a bit complicated. However, either option gives far too much power to the third-party service.

Tesla's Poor Approach to Authorisation

The tokens used with the API give you full access. Period.

You can read info from the car, and you can fully control the car. Anything you can do via the official app or through these third-party services, you can do with that token. If this token is ever misused or leaked, all this info and control of your car is exposed.

Keep in mind this isn't just control of your car. If you have HomeLink set up, simply by having a token someone can know your car's location (at home) with the API, open the garage with the API, "start" the car with the API, load some items from your now-open home into your car, and drive off with possessions and vehicle.

Additionally, you cannot necessarily revoke tokens unless you are technically inclined to do so and know the token. Resetting your password does not necessarily invalidate previous tokens. Today, it does*. A couple months ago, it did not. I had tokens that worked for weeks. An interesting side effect of this (or what I believe to be) is that the app also stayed signed in for just as long, even though I had changed my password.

Tokens being invalidated on password reset is not a documented guarantee of the API from Tesla, and not something we should be relying on occurring in a timely manner for an API they do not explicitly publicly support in the manner we use it.

* Actually, it booted me from the app and invalidated the tokens, but the old password still worked and the new one wouldn't even after waiting some minutes. Had to reset it again, and it finally worked immediately. Tesla's auth seems inconsistent and flaky from where I sit.

Your Data is Valuable

Finally, it's 2019. Every company with a sufficiently large user-base — especially a unique one — will be approached at some point to sell the data about their users in some way.

This could be your charging habits, driving habits, location habits, how much you drive, where you appear to live, where you tend to shop, etc. A lot of information can be gleaned from seemingly limited data. Be careful what you intentionally share, that is all.

But camalaio, I've had no issue with <app/service>!

Sure, of course. They may have all the right intentions.

Or they may not. Perhaps they're selling your data. Perhaps they're just waiting for the day they preheat everyone's cars to MAX HEAT on April 1st as a widespread energy-wasting joke. Perhaps they get acquired by another company with ulterior motives.

Perhaps you just don't know what they're doing with your credentials and info.

And perhaps, despite their best intentions, they leak your login info and anyone can then access your vehicle's info and control it.

What can Tesla do?

Lots
.

Tesla can easily take the stance that you should never share your account credentials. They are absolutely correct and probably do mention this in terms of service somewhere (it's common). The API that enables these services to work was not exactly meant to be a public product, though by necessity and simplicity it is indeed publicly accessible.

Tesla could add an app permissioning system in the future that ensures tokens are...
  1. Restricted in permissions. If a logging-only service like TeslaFi only ever needs to read data from your car and never control it, it would be good to tick a box saying "this is an info token" vs. "this is a control token".
  2. Restricted in source/client usage. A token for Stats For Tesla should only be usable by Stats For Tesla, for example.
  3. Revocable. The account holder should be able to disable and remove a token at any time.
Additionally, a federated identity system would be extraordinarily beneficial. You know those "Login with Facebook" or "Login with Google" options on many services? I'm talking about a "Login with Tesla". What this does is you enter your username and password with the "identity provider" (Facebook, Google, or Tesla in this example) which authorises use of the third party service. The third party service exchanges some info with the identity provider so that they know who you are and which account you are, but the identity provider is the only one holding your login info and validation. This single-sources your sensitive account info so that if any leak occurs in the third party service, they at least don't have your credentials.

All of the above requires Tesla providing the API as a public product that is actively developed and documented for that purpose. It's not insurmountable, but I do understand that it's distracting and comes with a few annoyances in terms of ability to change things rapidly when desired.

What can I do?

Just don't use the services. They're a very large risk at the moment given the currently way permissions work (always all) and the level of control over distributed tokens (none).

Giving out your password is also just not great. If you must use one of these services or you think it's worth the high risk, use a password that you don't use anywhere else. Any single leak of your password could expose more than just that account. This doesn't prevent others from being able to control your car if a token is leaked, but the token should eventually expire.

Additionally, if you are technically inclined, you may write your own scripts. It's very easy to interact with, especially if you model the API with a Python package like e2e.api (oof, shameless plug). Heck, maybe I'll go make this model tomorrow, I need something to do.

Keep in mind you're in charge of keeping your credentials safe still, but at least they're only in your hands.

Additionally, if you're using a service just for data logging, try good ol' pen and paper. It's low tech and data sampling is relatively coarse, but who doesn't like charting some data in Excel... right? Other people like doing that right? :)

End of PSA.
 

camalaio

Active Member
May 28, 2019
1,483
2,188
Vernon, BC, Canada
I wanted to add that I have nothing against or for the existing third party apps and services. I did think of developing one myself (for public use) because they can indeed be very useful, but I just didn't see a transparent and safe way to handle the auth tokens. This alone made me entirely drop the project.

I have no stake or share related to Tesla or any third party service related to Tesla.
 

Marius A

Member
Apr 2, 2019
612
525
NORWAY
I wanted to add that I have nothing against or for the existing third party apps and services. I did think of developing one myself (for public use) because they can indeed be very useful, but I just didn't see a transparent and safe way to handle the auth tokens. This alone made me entirely drop the project.

I have no stake or share related to Tesla or any third party service related to Tesla.
You could always develop an app or service that takes the token as an input. Of course, users shouldn't trust that you aren't storing said token, but if you publish the source code then more technical people could host their own web app/build their own app.
I've considered creating my own web app using blazor or something like that, would just put it in github so everyone could use it. I use 1pass so it wouldn't be a problem to store a token for re-use (or you could put it into a config file if you have a personal amazon/google/azure/whatevs subscription).

Without a good authorization implementation by Tesla you can never build an app or host a web site that other people can trust.
 

xdcthedoc

Member
Sep 5, 2019
133
76
uk
I downloaded an app that works on my smart watch - but you have got me thinking now as it uses option 1 above.

If I delete the app and reset my password should my security be OK?

It is nice having the watch interface (Garmin)... so there is no way to do that safely that you can see?
 

Marius A

Member
Apr 2, 2019
612
525
NORWAY
I downloaded an app that works on my smart watch - but you have got me thinking now as it uses option 1 above.

If I delete the app and reset my password should my security be OK?

It is nice having the watch interface (Garmin)... so there is no way to do that safely that you can see?
If the app has your username and password then you are trusting the people who made it that they aren't going to use it for anything bad.
What Tesla COULD do, but probably won't prioritize, is give restricted access to an auth token. Think of it like app permissions on iOS/Android. That would allow you to generate a token which can only be used for whatever security setting you have allowed (for example adjust climate control). Right now any token will have access to all features.

If I were you I would delete the app and reset the password, unless the app is made by Tesla (I assume it isn't). I'm really paranoid about giving somebody else the possibility to remotely control my car, so you might not be as worried.
 

Marius A

Member
Apr 2, 2019
612
525
NORWAY
how difficult for Tesla to make the official Tesla App compatible to Smart watch say Apple watch?
Not difficult, but they're effort is going toward making self-driving software. I wouldn't expect (or want) them to focus on wearable apps.

In other news... DON’T GO OUTSIDE BECAUSE THE SKY MIGHT FALL!

Or...DON’T USE YOUR CREDIT CARD ONLINE!
Not really comparable. It's more like hiring someone to mow the lawn, and giving them the key to your house and code to disable the alarm.
 

Matsayz

Active Member
Jul 6, 2019
1,195
972
Las Vegas
Not difficult, but they're effort is going toward making self-driving software. I wouldn't expect (or want) them to focus on wearable apps.


Not really comparable. It's more like hiring someone to mow the lawn, and giving them the key to your house and code to disable the alarm.

My bad I forgot I had to put the sarcasm tag on my post.
 
  • Love
Reactions: Kleenerth3

CarterStC

Member
Jun 26, 2018
183
158
CA
This was a big dilemma for me when I created Tesla-Screen.
I figured that by being an owner and a regular user of the forums, actively part of the community, people with trust my software more than the pop ups that we see. However, I was very concerned about protecting the users of the app, and because Tesla's API does not support CORS, I could not avoid proxying theater requests through my API. However, I have found a way to keep all user authentication on the browser side, and as you suggest, allow using an access token rather than user login if preferred. I also created a page on my site that allows any user to grab an access token without risk of going through a third-party server.
I'm glad that I don't need to have any sort of database that captures user information, it really just comes down to the browser interacting with the API proxy in through my API endpoints.
 

tvad

Member
Jun 30, 2019
979
1,053
California
Interesting info, OP. I have been using Stats on a daily basis...but I just changed my Tesla password and am re-considering my use of Stats. I do find the Stats iPhone and Apple Watch apps useful.
 

camalaio

Active Member
May 28, 2019
1,483
2,188
Vernon, BC, Canada
I missed a really good analogy when writing the post.

Giving your account info to a third party stranger is exactly the same as giving this stranger the keys to your $40,000+ car so that they can go toggle controls and log data for you. Except the key can be used around the world and doesn't have to be used physically near your car. This is not something many people would do with a physical key, however we seem far more willing to give up the virtual one! With the "virtual" one, the holder of your credentials can make "copies" (tokens) and even "remotely destroy" all other "keys" (by resetting your password).

You could always develop an app or service that takes the token as an input. Of course, users shouldn't trust that you aren't storing said token, but if you publish the source code then more technical people could host their own web app/build their own app.
I've considered creating my own web app using blazor or something like that, would just put it in github so everyone could use it. I use 1pass so it wouldn't be a problem to store a token for re-use (or you could put it into a config file if you have a personal amazon/google/azure/whatevs subscription).

Without a good authorization implementation by Tesla you can never build an app or host a web site that other people can trust.

Your last point basically sums it up from the technical side.

I hesitate to recommend an open-source auditable solution simply because the current methods available from Tesla's side are still an issue no matter what else is done. Perhaps I should have made it more clear in the original post, but I don't view the way the current tokens work as sufficient either (given that we can't directly manage them or permission them in any way).

I downloaded an app that works on my smart watch - but you have got me thinking now as it uses option 1 above.

If I delete the app and reset my password should my security be OK?

It is nice having the watch interface (Garmin)... so there is no way to do that safely that you can see?

Delete app, reset Tesla account password, and at most 45 days later everything should be OK. If they don't manage to remove access from the token, they have an expiry of 45 days maximum from the time they were acquired. This has some other assumptions, but if you reset your password you're doing your due diligence and hopefully Tesla handles the rest properly.

Note that you should reset your passwords everywhere that used even a similar password, especially if they are sensitive or valuable accounts.

how difficult for Tesla to make the official Tesla App compatible to Smart watch say Apple watch?

Less difficult than implementing an accounts service that would let others develop Apple Watch apps and any other app without needing to ask for your Tesla credentials :)

I kid. It's probably less effort to make and maintain a Watch app to be honest. You Apple folk already get a widget that us Android folk don't get though, give Android some love first! :p

This was a big dilemma for me when I created Tesla-Screen.
I figured that by being an owner and a regular user of the forums, actively part of the community, people with trust my software more than the pop ups that we see. However, I was very concerned about protecting the users of the app, and because Tesla's API does not support CORS, I could not avoid proxying theater requests through my API. However, I have found a way to keep all user authentication on the browser side, and as you suggest, allow using an access token rather than user login if preferred. I also created a page on my site that allows any user to grab an access token without risk of going through a third-party server.
I'm glad that I don't need to have any sort of database that captures user information, it really just comes down to the browser interacting with the API proxy in through my API endpoints.

Nice, bring on the shameless plugs!

I like your self-serve UI-driven way of generating the token, and the fact it's actually a fairly prominent option on the page. I wish the more common services and apps did exactly this. Of course this has trust flaws as well (which are also related to the Tesla API, to be fair) but you appear to have done the best you can with the current API implementation. No one should count this as an endorsement of Tesla-Screen of course, do your own due diligence which Tesla makes it very hard to do currently.

Does your code happen to be open-source? I entirely understand if it is not.
 

Rottenapplr

Active Member
Apr 6, 2019
1,015
537
LOS ANGELES
Introduction

Hello. I'm a software developer and tester. In past occupations, I've used, tested, and partially developed authentication and accounts services for various web-based applications. I am by no means a security expert and you should take my words with a hefty grain of organic fair trade Pacific ocean sea salt.

There are many third-party apps/services that can interact with your Tesla. These offer control and logging for your vehicle that the official Tesla app does not, and can indeed be extremely useful. To name the most popular purely for familiarity, you have "TeslaFi" and "Stats For Tesla" for example.

Read the bolded points if you just want to skim, I know I'm a wordy person and I apologise.

Some Terminology
  • App or Service: The thing that has access to or controls your Tesla in some way
  • Token: A sort of generated password that isn't your actual password, but is used like it
  • API: The thing that the App or Service "talks" to in order to get info or interact with your Tesla
What Third-Party Apps Ask For, and Why it's Not OK

Third party apps currently have two methods for you to provide access to your vehicle:
  1. Basic: You give your email and password to the app
  2. Advanced: You generate a token using the API, and give that token to the app
Not every service offers the token/advanced method.

In the case of Option 1, the service will use your credentials to ask the API for a token, and use that to get info from your car and control it with the API.

The problem with this is that the vast majority of people will go with Option #1 even if presented with both options. This is problematic because your password (which you probably use elsewhere, be honest) is being given to a stranger. As a Tesla owner, you're more likely to be a well-off individual with perhaps some smart home functionality, generally technically integrated with many online accounts, have a decent amount of money somewhere, etc. If I'm looking for an easy way to get highly valuable usernames and passwords, this is a fantastic source. You should never give passwords to strangers.

Whether it is the current providers or an eventual acquirer of the company behind the service, it is likely that there are third party Tesla services out there that exist mostly to obtain credentials for nefarious purposes.

Given this, token authentication is much better, if a bit complicated. However, either option gives far too much power to the third-party service.

Tesla's Poor Approach to Authorisation

The tokens used with the API give you full access. Period.

You can read info from the car, and you can fully control the car. Anything you can do via the official app or through these third-party services, you can do with that token. If this token is ever misused or leaked, all this info and control of your car is exposed.

Keep in mind this isn't just control of your car. If you have HomeLink set up, simply by having a token someone can know your car's location (at home) with the API, open the garage with the API, "start" the car with the API, load some items from your now-open home into your car, and drive off with possessions and vehicle.

Additionally, you cannot necessarily revoke tokens unless you are technically inclined to do so and know the token. Resetting your password does not necessarily invalidate previous tokens. Today, it does*. A couple months ago, it did not. I had tokens that worked for weeks. An interesting side effect of this (or what I believe to be) is that the app also stayed signed in for just as long, even though I had changed my password.

Tokens being invalidated on password reset is not a documented guarantee of the API from Tesla, and not something we should be relying on occurring in a timely manner for an API they do not explicitly publicly support in the manner we use it.

* Actually, it booted me from the app and invalidated the tokens, but the old password still worked and the new one wouldn't even after waiting some minutes. Had to reset it again, and it finally worked immediately. Tesla's auth seems inconsistent and flaky from where I sit.

Your Data is Valuable

Finally, it's 2019. Every company with a sufficiently large user-base — especially a unique one — will be approached at some point to sell the data about their users in some way.

This could be your charging habits, driving habits, location habits, how much you drive, where you appear to live, where you tend to shop, etc. A lot of information can be gleaned from seemingly limited data. Be careful what you intentionally share, that is all.

But camalaio, I've had no issue with <app/service>!

Sure, of course. They may have all the right intentions.

Or they may not. Perhaps they're selling your data. Perhaps they're just waiting for the day they preheat everyone's cars to MAX HEAT on April 1st as a widespread energy-wasting joke. Perhaps they get acquired by another company with ulterior motives.

Perhaps you just don't know what they're doing with your credentials and info.

And perhaps, despite their best intentions, they leak your login info and anyone can then access your vehicle's info and control it.

What can Tesla do?

Lots
.

Tesla can easily take the stance that you should never share your account credentials. They are absolutely correct and probably do mention this in terms of service somewhere (it's common). The API that enables these services to work was not exactly meant to be a public product, though by necessity and simplicity it is indeed publicly accessible.

Tesla could add an app permissioning system in the future that ensures tokens are...
  1. Restricted in permissions. If a logging-only service like TeslaFi only ever needs to read data from your car and never control it, it would be good to tick a box saying "this is an info token" vs. "this is a control token".
  2. Restricted in source/client usage. A token for Stats For Tesla should only be usable by Stats For Tesla, for example.
  3. Revocable. The account holder should be able to disable and remove a token at any time.
Additionally, a federated identity system would be extraordinarily beneficial. You know those "Login with Facebook" or "Login with Google" options on many services? I'm talking about a "Login with Tesla". What this does is you enter your username and password with the "identity provider" (Facebook, Google, or Tesla in this example) which authorises use of the third party service. The third party service exchanges some info with the identity provider so that they know who you are and which account you are, but the identity provider is the only one holding your login info and validation. This single-sources your sensitive account info so that if any leak occurs in the third party service, they at least don't have your credentials.

All of the above requires Tesla providing the API as a public product that is actively developed and documented for that purpose. It's not insurmountable, but I do understand that it's distracting and comes with a few annoyances in terms of ability to change things rapidly when desired.

What can I do?

Just don't use the services. They're a very large risk at the moment given the currently way permissions work (always all) and the level of control over distributed tokens (none).

Giving out your password is also just not great. If you must use one of these services or you think it's worth the high risk, use a password that you don't use anywhere else. Any single leak of your password could expose more than just that account. This doesn't prevent others from being able to control your car if a token is leaked, but the token should eventually expire.

Additionally, if you are technically inclined, you may write your own scripts. It's very easy to interact with, especially if you model the API with a Python package like e2e.api (oof, shameless plug). Heck, maybe I'll go make this model tomorrow, I need something to do.

Keep in mind you're in charge of keeping your credentials safe still, but at least they're only in your hands.

Additionally, if you're using a service just for data logging, try good ol' pen and paper. It's low tech and data sampling is relatively coarse, but who doesn't like charting some data in Excel... right? Other people like doing that right? :)

End of PSA.
I have a reminder on my phone to change my tesla password every three months.
 

e-FTW

New electron smell
Aug 23, 2015
3,348
3,239
San Francisco, CA
Thank you posting this and raising awareness. One should probably never share their Tesla password with any third-party service. There is no way to tell where it ends up over time (mergers and acquisitions are especially hard to keep track of) and I do not believe the convenience of third-party services is worth it. To each his own, but I do not share those credentials.

My solution, which is for the Apple side of the house (apologies to the Android crew, like most folks I live in one world at once):
  1. Just use the Tesla app and what it enables Siri to do already: Tesla's Siri integration now works with Model 3 - Electrek (this would allow you to talk to your Apple Watch without any special app). But I want more...
  2. Use a password manager (Apple devices have a decent basic one built-in) to generate long, unique passwords for all things; in this case my Tesla account
  3. Use the Apple Shortcuts app and a custom shortcut to create a token using my Tesla username and password. This is all done locally on my device, with a single call to the Tesla API to fetch the token. This is what the Tesla app does when it asks you to authenticate every month and a half; it is generating a new token for the Tesla app to use.
  4. Use a series of other custom shortcuts that use this token to execute commands and queries against the car (Unlock, enable Sentry mode, stop charging+unlock charge port, set charge level, get current charge state and associated details, etc).
  5. Siri can then be invoked: “Hey Siri, enable Sentry mode”.
This is all run locally on my devices, and I have control over the actual token.

The Tesla API that every app and third-party service must use has been (unofficially) documented, which has allowed me to expand what my shortcuts can do and in turn what Siri can now do with my car: Introduction

Note: If you want to give it a try, you can download some examples off sites like Teslacuts (was going to post that link, but their SSL certificate expired 11 days ago, and it would be bad form to send you to such a site when we are talking about security and privacy best practices!). So here is a simple shortcut I made (got one from that site, then made my own) that creates a token you could use: Shortcut
As with all shortcuts, you should inspect it top to bottom before running it.
 

Products we're discussing on TMC...

About Us

Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


SUPPORT TMC
Top