Vulnerability in mobile apps can occur due to several reason like misconfiguration in code level bugs. There is a huge need to perform a penetration test and security analysis before releasing a mobile application. If you think in terms of data, there are four layers usually a mobile app will have some data

• OS Layer
• Hardware Layer
• Network Layer
• Application Layer

Another way to think about the data in Mobile Apps are:

• Data in Rest 
• Data in Motion

Threat modeling is a process of identifying all possible threats to a system so that they can be categorized and analyzed. It's a proactive approach to a system security. Essentially, you are trying to identify and fix the vulnerability before adversaries can exploit them. There are two broad categories:

• Insider Threat (eg: user pluging in a malicious USB, user leaking information)
  
• External Threat (eg: malware attacks etc)
  

Goals:

• To reduce the number of security-related design and coding defects.
• To reduce the severity of any remaining defects 

Overall result is reduced risk. 
 
Approaches:

• Proactive/Defensive Approach: This is an early stage measure during design and specification establishment. In majority of the cases this proactive approach of embedding the defenses during the initial phase is more successful and cost effective.
• Reactive/Adversarial Approach: This takes place after the product has been created and deployed.​This is the core concept behind red teaming, pen testing, ethical hacking, Fuzz Testing. Usually engineer release quick patches and updates as a countermeasure and it's more cost effective in comparison to redesigning the product. 

Threat Identification: 

• Focused on Asset: Threat Identification on Vulnerable Assets
  
• Focused on Attackers: Identify Potential Attackers and their Goals
  
• Focused on Software: Potential Threats against the developed Software
  

STRIDE Method (Developed by Microsoft):
S - Spoofing - Attacker trying to gain the access by falsified methods
T - Tampering - Any action resulting in unauthorized changes of the data either in transit of storage.
R - Repudiation -  The ability of user or attacker to deny the activity.
I - Information Disclosure - Revelation of private, confidential or controlled information to external and unauthorized sources.
D - Denial of Service - An attack to prevent the authorized use of the resource.
E - Elevation of Privilege - An attack where a limited user account is transformed into a higher privileged account.