This is not an easy issue type to diagnose and it's done partially through black box and partially through white box testing. To put it simple, mobile code will process unfiltered and unsanitised user input which could allow attackers to make the app trip up. This can have all kinds of unforseen consequences such as buffer overflows. The attacker will either phish the victim to insert the attack vector into their application or they might rely on malware that is installed on the victims device.
It's important to know that bad code quality does not have to lead to a security issue by definition. Most instances of bad code quality are simply developers making bening mistakes such as having code with a high cyclic complexity. However sometimes these instances can cause quite a lot of harm, though hard to find, we should not neglect them. This issue type will be easier to test for if you have access to the code where you can run static code analysis (either through tools or manually) but it can also be tested through dynamic code analysis techniques such as fuzzing.
We are looking for issues such as memory leaks or buffer overflows and a host of less severe issues but know that these issue types are not easy to abuse at all and require low level knowledge of the used programming languages. The typical goal for a security risk is to execute our own code within the app's adress space.
The impact can be twofold, it can either occur on the application's side by trying to gain foreign code execution or due to bad code quality, we might also be able to perform DoS attacks on remote endpoints. What could even increase the impact is if we can influence the input into the application by a third party.
Business wise a remote code execution is almost always bad news for your business of course, it could lead to identity theft, reputation damage and even intellectual property stealing.
Less severe effects can also be degredation of performance by leveraging memory leaks or performing a DoS attack or disrupted workings of the front-end architecture.
A real world example we can think of is when whatsapp enabled the installation of a software called "pegasus".
"It was reported that military-grade spyware ‘Pegasus’ from NSO Group infiltrated the smartphones of journalists, politicians, and human rights activists, according to an investigation by 17 media organisations and Amnesty International. Mr Cathcart said that the recent attack reported in the media was similar to the attack against WhatsApp users two years ago. That attack is now the subject of a lawsuit brought by WhatsApp against NSO Group."
Source: https://www.independent.co.uk/life-style/gadgets-and-tech/whatsapp-pegasus-spyware-nso-apple-will-cathcart-b1890536.html