You don't, the app runs on a user-supplied device. They should secure the part that runs on the car and consider the interface between the app and the api to be a user interface.