The German NSA seemed unable to access the server as they only intercepted the traffic. They got a TLS certificate from Let's Encrypt by intercepting traffic. If the app had used public key pinning, and the server had full disk encryption, this wouldn't have been enough for a compromise.