In the Mobile Application Penetration Testing, the end user is in the control of the device.There are usually four phases
Vulnerability in mobile apps can occur due to several reason like misconfiguration in code level bugs. There is a huge need to perform a penetration test and security analysis before releasing a mobile application. If you think in terms of data, there are four layers usually a mobile app will have some data
Another way to think about the data in Mobile Apps are:
Threat modeling is a process of identifying all possible threats to a system so that they can be categorized and analyzed. It's a proactive approach to a system security. Essentially, you are trying to identify and fix the vulnerability before adversaries can exploit them. There are two broad categories:
STRIDE Method (Developed by Microsoft):
S - Spoofing - Attacker trying to gain the access by falsified methods
T - Tampering - Any action resulting in unauthorized changes of the data either in transit of storage.
R - Repudiation - The ability of user or attacker to deny the activity.
I - Information Disclosure - Revelation of private, confidential or controlled information to external and unauthorized sources.
D - Denial of Service - An attack to prevent the authorized use of the resource.
E - Elevation of Privilege - An attack where a limited user account is transformed into a higher privileged account.