Car (and IoT) manufacturers really need to be dragged into security training.
Just because you could make a certain thing possible remotely, you need to stop and ask "should I?".
Why would anyone want to unlock the doors via the internet connected ap? It's pretty unlikely that feature will be used by genuine owners anywhere near as many times as it'll be used by someone keen to steal the contents of the boot.
If you *really* must have keyless door opening, only support it over a short range communication such as bluetooth, or RFID.
Next, starting the car remotely... Okay, to prewarm on a cold morning it's nice, but you don't need to disable the interior alarm, or unlock the doors, release the steering lock, or allow the hard/parking brake to be release and a gear engaged... If those happen kill the engine and set off the arm. (Release of rattle snake from glove-box optional).
And don't forget to give the owner of the car a method of deleting previously authorised users/devices without requiring a visit to a main dealer.
Biting the hand that feeds IT
