OAuth 2.0 in web application works using redirect URI, where Authentication provider redirects to redirect URI & verifies same with registered one which developer provides during app registration before it does redirection with access token.

In case of mobile app, since there is no redirect URI to mobile app how does it work?

If someone gets client id, Can they use same to build duplicate app ? How does security works in above scenario?

Because mobile apps cannot guarantee the confidentiality of the client_secret they can use a grant type that doesn't require it. This is the Implicit Grant. The idea is to redirect the mobile browser to the authorization endpoint using response_type=token parameter:

https://example.com/authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=http://REDIRECT_URI

After authenticating the user against the identity provider the browser will be redirected back to the redirect_uri specified in the authorization request and passed an access token:

http://REDIRECT_URI/#token=ACCESS_TOKEN

You can then intercept the request to this specifically crafted url in the browser (by subscribing to the corresponding events that get triggered when the url changes), extract the access token that is passed and use this token to make authenticated requests.

If someone gets client id, Can they use same to build duplicate app ? How does security works in above scenario?

OAuth 2 is not designed to protect the intellectual property of your application. it is an authentication protocol. With or without it, anyone can duplicate your application. The idea is that without the client_secret an application cannot use the grant types that require it and that usually give more permissions and scopes to the issued access tokens.