For this attack vector we first need to understand how mobile apps authenticate. They have the option to log into a server but due to the instability of the network, the user may need to authenticate locally as well while being offline. This brings inherit risk with it but luckely we have an oversight to tackle these risks.
When an attacked wants to exploit this vulnerability they are first trying to figure out how the authentication system works and they will do this by intercepting and repeating requests with a MiTM proxy such as OWASP zap or portswigger's burp suite. Afterwards an attacker will attempt to bypass said authentication mechanism and if the attacker is fully aware of how a mobile app would be vulnerable, they would create some kind of malware to install on the users device which will bypass the authetication by making direct calls and reporting back to the attacker on important things such as JWT tokens.
This is a much bigger on mobile devices than on desktops because users on desktops are expected to have a reasonable connection to the internet. Mobile connections are slower and less stable by nature. Because of this, mobile applications often require offline based authentication as well which can have disasterous consequences. Mobile users often have weaker passwords for their mobile devices such as a 4-digit pin which is reasonable to brute force.
What makes this vulnerability so bad is that due to it's nature, the user that is performing the attack is not logged ( as there is no user to speak off). This makes is almost impossible to detect and prevent this attack in the future.
The impact itself can differ: