The in-app billing library has a method verifyPurchase() in the Security class. In version 2 of this library the base64EncodedPublicKey was located inside Security class so we basically did not use it ever, but did verification via our API and then returned true/false as if the verification was done by in-app library.
In version 3, base64EncodedPublicKey is not located inside Security class any more, but we keep it in the Main class and pass it as a parameter to IabHelper object which then calls verifyPurchase() in the Security and passes 3 parameters now (instead of 2 as in version 2).
Is now mandatory that IabHelper does the verification? Can we still omit it like before and do verification via our API?
IabHelper is just a wrapper around In-app Billing V3 API. It's designed to make things easier. You don't have to use it, so it's not mandatory to perform verification using IabHelper.