Hi znino,
I don't blame your friends for being concerned. I ran Symantec Research Labs for a number of years so I have first hand knowledge of the volume and variety of attack vectors that are in the wild today. Let me tell you a little about the app that you can pass along to your friends.
The app uses https to connect to Tesla's servers which means that all communication are encrypted. It does not store or communicate the user's password. It *does* store a cookie file on the user's disk. If this cookie file falls into the hands of an attacker, they could access your vehicle. An attacker would have to have access to your computer to make this possible. The application shares no information with me or anyone else other than Tesla. I'd actually love to collect some aggregate statistics (not user identifiable) but I've refrained from doing so because I don't want to create even a perception that users are being spied upon. I don't even know how many people have tried VT.
Other than communicating with Tesla, the app does download up to 3 files from a different source - dropbox. The first file is a list of the releases. The app uses this to determine whether a newer release is available. If a new release is available, the user can click a link to see the most recent release notes (they are also on dropbox). Finally, if the user chooses to download the latest release, it will download that from dropbox. No user information is shared in this process.
As @musterion points out, the code is open source and posted on github. I welcome anyone to look at it and let me know of any security vulnerabilities that might be present. I understand that not everyone has the time, interest, or inclination to do that, but it is an option for some.
Thanks for your interest in VisibleTesla. I'm not a developer for a living anymore and this project has been a really fun way to keep at least some of those old skills going.