They could use certificate pinning [1] (and really, there is no reason for an app author not do so, except for the additional work) which would thwart all man-in-the-middle attacks. The end-point is still open through the analog gap (photograph of the screen) and custom clients, though.

[1] https://www.owasp.org/index.php/Certificate_and_Public_Key_P...