When one of my apps was pirated a few years ago, I became extremely interested in iOS security. Based on my knowledge, I can vouch for the accuracy of the article you linked to.
The article explains quite well what IAP makes secure and what it does not. If you are using IAP to deliver content stored on Parse, Parse's SDK (and server code) makes this process very secure. The attack goes like this:
1) the attacker fakes receipt and sends it to Parse hoping that Parse will deliver the content,
2) Parse will send the receipt to Apple and ask if the receipt is valid and indeed for the product that is being requested,
3) Apple will acknowledge that this receipt is fake or for a product not being required,
4) Parse rejects the request, and no content is delivered. Success.
However, if you are using IAP to unlock features that are already shipped with the app, IAP does not prevent against binary manipulation attacks.
Awesome, in theory this is how it should work. I'm actually more curious as to how you handle it practically though. Because for us, validating the receipt from Apple takes time, so if you are first making a request to Parse and then Parse has to make a request to Apple, the added latency poses a real threat to the user cancelling the transaction, especially on a mobile device with a crappy connection. This is why I see server-side validation as non-ideal. But such is the state of mobile development.
Most of the jail broken cracks are trivial to detect client side. Otherwise... They aren't going to pay anyway, might as well make the experience better for payers and not block on validation( but still track invalid transactions). And besides, if they're willing to install a hackers DNS server and ssl cert, they won't have money for long.
I agree. The hackers will only be a small percentage of your user base (guessing <=5%), if you have a problem at all. This issue is more problematic if you track revenue metrics, and so JB users may inflate your numbers considerably, if you're not cognizant.
The article explains quite well what IAP makes secure and what it does not. If you are using IAP to deliver content stored on Parse, Parse's SDK (and server code) makes this process very secure. The attack goes like this:
1) the attacker fakes receipt and sends it to Parse hoping that Parse will deliver the content, 2) Parse will send the receipt to Apple and ask if the receipt is valid and indeed for the product that is being requested, 3) Apple will acknowledge that this receipt is fake or for a product not being required, 4) Parse rejects the request, and no content is delivered. Success.
However, if you are using IAP to unlock features that are already shipped with the app, IAP does not prevent against binary manipulation attacks.
-Andrew