Most public applications use http based API for consuming server resources. Application server just understands what data it received without knowing when, how, who, where, and why data was generated. It accepts submitted data as long as proper authetication data and certificates are passed.

Now-a-days most of client applications running on mobile or desktop are written java, .NET, etc. They can be de-compiled and modified to steal all certificates, authentication data, encryption keys, etc. This stolen data can be used for carrying-out fraudulent transactions. Most security checks can be disabled.

Similarly, AJAX calls are clearly visible in web pages. They can be fraudulently submitted using BOTs, browser addon or even third party software.

Any anti-tampering code written in C++/Native language can be bypassed/changed by de-assembling and changing just a couple of lines of assembly code change.

Any anti-tampering check based on an external value of an object like checksum, file size, etc., can always be extracted from the orginal object and sustituted in the modified program to fool the system.

Other 2FAs like OTP can be stolen from the application. Similarly, digital image of figerprint can be stolen.

Risk engines can't detect fraudulent activities as reuse of stolen data does not create abnormality.

If authentication data, certificates, encryption keys, etc. are static (which is always the case) then the stolen data can be used again and again.

Hacking code and tools are freely available on internet. Applications can be modified in just a few hours.

Rouge/Fake app can be distributed to masses through social media, reaching millions in hours.

Point of hacking, hacking code, and the method is exactly the same in all applications.

This puts your business to unlimited risks.