In the Mobile Application Penetration Testing, the end user is in the control of the device.There are usually four phases

• Discovery
  • Understanding the platform
    
  • OSINT
  • Client Side and Server Side Scenarios - Native, Hybrid or Web
• Assessment/Analysis
  • Static Analysis - Analysis is performed without executing the application or just looking at the source code of the application.
    
  • Dynamic Analysis - Dynamic analysis is performed while the application is running on the device. This includes forensic analysis of the local filesystem, network traffic between the application and server, and assessment of the app's local inter-process communication (IPC) surface.
  • Achieve Analysis - Review of the files that have not been compiled into a binary
  • Local File Analysis - Files Accessed by the application and files used during the application execution
  • Network & Web Traffic - The device will be configured to route their connection to the server through a test proxy controlled by the security tester. This will enable web traffic to be intercepted, viewed, and modified. It will also reveal the communication endpoints between the application and the server so that they can be tested. Network traffic that is not traversing the Web and is happening at a lower layer in the TCP/IP protocol stack, such as TCP and UDP packets, will also be intercepted and analyzed.
  • Reverse Engineering - Complied Code into Human readable format 
    
  • Interprocess Communication
• Exploitation
  • Attempt to Exploit the Vulnerability -  Discovered vulnerabilities to gain sensitive information or perform malicious activities.
    
  • Privilege Escalation
• Reporting 
  • Risk Assessment - Analyze business criticality of the application and the security risk posture and categorize the overall risk rating of the assessed application
    
  • Final Reporting

Vulnerability in mobile apps can occur due to several reason like misconfiguration in code level bugs. There is a huge need to perform a penetration test and security analysis before releasing a mobile application. If you think in terms of data, there are four layers usually a mobile app will have some data

• OS Layer
• Hardware Layer
• Network Layer
• Application Layer

Another way to think about the data in Mobile Apps are:

• Data in Rest 
• Data in Motion

Threat modeling is a process of identifying all possible threats to a system so that they can be categorized and analyzed. It's a proactive approach to a system security. Essentially, you are trying to identify and fix the vulnerability before adversaries can exploit them. There are two broad categories:

• Insider Threat (eg: user pluging in a malicious USB, user leaking information)
  
• External Threat (eg: malware attacks etc)
  

Goals:

• To reduce the number of security-related design and coding defects.
• To reduce the severity of any remaining defects 

Overall result is reduced risk. 
 
Approaches:

• Proactive/Defensive Approach: This is an early stage measure during design and specification establishment. In majority of the cases this proactive approach of embedding the defenses during the initial phase is more successful and cost effective.
• Reactive/Adversarial Approach: This takes place after the product has been created and deployed.​This is the core concept behind red teaming, pen testing, ethical hacking, Fuzz Testing. Usually engineer release quick patches and updates as a countermeasure and it's more cost effective in comparison to redesigning the product. 

Threat Identification: 

• Focused on Asset: Threat Identification on Vulnerable Assets
  
• Focused on Attackers: Identify Potential Attackers and their Goals
  
• Focused on Software: Potential Threats against the developed Software
  

STRIDE Method (Developed by Microsoft):
S - Spoofing - Attacker trying to gain the access by falsified methods
T - Tampering - Any action resulting in unauthorized changes of the data either in transit of storage.
R - Repudiation -  The ability of user or attacker to deny the activity.
I - Information Disclosure - Revelation of private, confidential or controlled information to external and unauthorized sources.
D - Denial of Service - An attack to prevent the authorized use of the resource.
E - Elevation of Privilege - An attack where a limited user account is transformed into a higher privileged account.