[mlrtime]

>The only solutions I can see are software based keying and a mobile app or legally enforced security guarantees.

Wouldn't this require the phone to be trusted and not run unsigned software?

[BrandoElFollito]

The software part is a solved problem - this is how the web is secured. There would be an exchange of keys with the car, and done.

This does not solve the problem of the timing (but the sibling comment explained that this one has a solution)