To most of the population, a web site and an app on your smartphone have little in common beyond being a form of how we use modern technology. The fact is that there are major links between these technologies as well as some significant differences to how they should be secured.
A Web Application Penetration Test is where we attempt to break into a specific web application. Typically, this separated from an external penetration test because the web site or application is at least an order of magnitude more complex that the infrastructure that runs it. Splitting the two tasks allows the organisation to correct the problems identified in either task, take a sigh of relief, regroup and move onto the next task.
Web application testing is a different set of actions than infrastructure testing. The core concepts are similar, however, the tools, techniques and procedures are very different. The focus of who is at risk is also usually different: infrastructure tests the security of the organisation, web application tests also assess how vulnerable the users of the web application are and these users are not always members of staff at your organisation.
App testing, at a minimum, contains some of the same elements as a Web Application test. There are additional activities that can be completed as well depending on the App. Attackers don't just target your organisation, they also target your users. Which is why App penetration testing not only tests the API (Application Programming Interface) that the App uses to communicate with the cloud, but can also test the software that is on the device itself.