Our code should be tamper proof as bad actors may often try to tamper with our apps and try to re-upload them to third party app stores. To be able to do this, they often rely on leveraging their knowledge of binary exploitation to modify our core packages or resources within our applications packages.
If those do not succeed an attacker might attempt to compromise the reference to system API's. This is where OWASP top 10 refers to "Redirect or replace system APIs to intercept and execute foreign code that is malicious" but i am not so strongly agreeing with the "replace" as that would mean the attacker already has access to the system.
It happens a lot more common than most people think to see apps floating around that seemingly run the code as intended but might in fact be doing something much more malicious, like sending the users personal data off to the attacker instead before they pass it on to the server, making the user none the wiser.
These are severe implications but there might also be more benign implications such as new features the developers did not authorize or a fully free version that should have paid features but unlocks everything instead.
potential impacts can be:
A really simple way to check if an app has been compromised is by making it check an expected checksum that is known by the server however even this strategy has it's own flaws. If the attacker is able to modify the method that contains the server used to hold the checksum our defenses are defeated. One way we might make this method more secure is for the app to check the checksum it's generated at compile time from the one at runtime but even then the attacker might be able to fool the app by replacing the checksum it gained at compile time.
We can also assume these types of tampered apps mostly run on jailbroken or rooted devices so checking if the app is running in a jailbroken environment is a decent way to checking integrity though for business descions we might not want this as it eliminates anyone with a rooted or jailbroken device.
As testers, i can not easily guide you on how to test this very complex issue