This is almost certainly the answer and clever as hell. You just have to make sure the server storing the firmware (which you control) has the right CORS headers (as you mention) and you are in business.

This means that the CarPlay device has no "internet" (spoiler: it never had real internet access) unless you are on that page interacting with it.

I'm not sure how these devices work, I mean I know they broadcast themselves as a CarPlay head unit then "somehow" pass that to the car via a wired connection (pretending to be a phone connecting via USB). "somehow" being the important part. Does it hand along an encrypted stream that it can't decode or does it decode/re-encode?

Either way I'd bet these devices are pretty safe to use. The phone sends a video feed, not raw "data" so the MitM (again, if that's how it works) would need to OCR the video to get anything useful since the raw video would be too large to store and too heavy to transfer over cellular (via it's own hidden radio, again, worst-case-scenario).

If the device decodes the stream in the middle then the worst case I can think of is it could be doing on-device OCR and cellular radio to exfiltrate the text but I feel confident that you could spot the cellular radio (or someone who did a teardown). Without the radio it has no way to get data off the device which means the best it could do it sneak some out while you were on that update screen. Though I think that's all pretty far-fetched.

EDIT: I went looking for some way to act as a CarPlay receiver and get the raw video feed and it looks like it's possible [0] so yeah, a malicious device could proxy the connect, OCR the result, and send data via its own cellular connection but that would be relatively easy to detect and not worth it unless you are the target of a nation state which, at that point, you have bigger problems.

[0] https://github.com/harrylepotter/carplay-receiver

What makes you think "American" products aren't just rebranded AliExpress products essentially?

Is it any better if it's Sony or Audi that has my data?

For Lightning at least, it was touchy as hell. It required a really good constant connection, or you'd constantly disconnect to the base car OS and reconnect to CarPlay. My wife and I had a handful of cables, even quality ones like Anker and Belkin, that were no longer good enough for CarPlay, but worked perfectly fine for regular charging.

I practically always use it wirelessly, because it's just so convenient to place it in the phone compartment, and not have to deal with the charging cable hanging around.

I generally don't have any issues with charging, so phone either stays at the same battery level, or charges a bit (depending on how long I drive).

The only downside is that phone heats up due to the usage of CarPlay as well as due to the wireless charging, which triggers heavy throttling of iOS, and I assume this is not ideal for the phone/battery as well.

I have wireless CarPlay in my car and I don't care about plugging it in for short rides. It's convenient that I don't have to plug it in every time I am on a 20-30 min ride just to get directions. It's a very useful feature. Not a deal breaker but a very good nice to have.

> I kinda just don't get wireless CarPlay/Android Auto at all. If I'm going to connect my phone to my car wirelessly for that, it's gonna drain the battery. So I'm going to plug it in so it can charge. So... now it's wired, so why do I need wireless?

For short trips. Like the two many of us do every single working day.

For quick trips where you don’t want to screw with cables, or where you don’t want to override your passenger doing the connect. I like wireless for CarPlay eve though my phone isn’t hard plugged into the head unit bit is still charging from the car. So for me a cigar lighter power plug is still better for charging the phone even though I have CarPlay wireless active

I immediately thought of the magnetic charging as well before getting to your second paragraph.

One other concern I’d have with wired charging in the car long-term is wear and tear on the USB port and the cable over time (also considering the cable is likely being left in a sometimes very hot car).

Do you feel the same way about WiFi? The big hassle is getting the laptop out of the bag, not plugging in the Ethernet cable?

>I kinda just don't get wireless CarPlay/Android Auto at all.

In addition to your argument, wireless CarPlay is also notoriously unreliable.[1]

[1]: https://www.google.com/search?q=wireless+carplay+not+working...

I've used a Sunweyer dongle from Amazon. If you can't get the "new shopper" discount on Aliexpress, it's cheaper. Seems to work fine. Doesn't like pairing to multiple phones, and the phone doesn't like being plugged into one of the car's USB outlets (it drops the audio because AFAICT the phone thinks it's plugged into the car for audio, but the car is still expecting audio over the Bluetooth "CarPlay" connection), even if it's one of the outlets that's not supposed to do anything but power.

I'd use it a little differently, but it's my wife's car, not mine. Who would have thought a 2022 Mercedes would have wired-only CarPlay?

Anyway, I find it excellent for podcast control. If maps are off (in my case, because location services are turned off) it doesn't really use more power than plain Bluetooth audio, and when I approach my destination on a trip I'll turn on location and plug it in to juice up the last bit.

I have been using CarlinKit 5.0 from AliExpress for last 1 year. No issues so far.

I have to ask: why didn't you plug your phone in while stationary? That seemed entirely avoidable.