Is it possible to hack iOS in-app purchase if someone know the product identifier with a jailbroken device ?
It seems that someone is getting my app in-app purchase items for free. I accdiently put all my in-app purchase identifiers in plist and bundled it. So its possible for a hacker to take ipa, extract it and see the plist contents.
My question is, is it really possible to hack in-app purchase flow with a jailbroken device ?
Another interesting fact is that I have the in-app purchase delegate onPurchaseSuccess() function defined in one of my classes. I am getting the URL request for this on the server side but there is no in-app purchase or sales in iTunes. Also, I have Google analytics logged inside this function which also failed to log anything in the analytics admin portal. Analytics for other events are properly logged. How could it be possible for a hacker to fire a URL request for the in-app purchase from this function and stop Google analytics tracking feature? I have no idea what's happening.
If you check for in app purchases in your app, then a jailbroken app can obviously do whatever it likes, including making purchases. If your in app purchases just unlock some functionality that is present in your app, a jailbroken app can be hacked to use that functionality.
If you send the receipt to your server, and your server checks the receipt with Apple, and the purchase then enables functionality on the server, then it can't be hacked without hacking your server.
Putting the purchase keys into a plist doesn't make much difference, because at some point your app needs the purchase keys, and at that point it can be hacked on a jailbroken phone.