You don't, the app runs on a user-supplied device. They should secure the part that runs on the car and consider the interface between the app and the api to be a user interface.
I don't disagree with this, but you're completely contradicting the user I'm replying to. I'm pointing out that the user who says "you should put security into the app" is completely misguided or at the very least perfectly explaining why VW is doing this.