The Android in app purchase documentation says to verify purchases on a server and not on the device, because otherwise an attacker could decompile the app and auto-verify purchases. Well, how does verifying on the server help? I'll illustrate with pseudocode. Here's scenario 1 with on device verification.
public boolean verify(data){
return Security.verifyPurchase(data);
}
Attacker replaces with this:
public boolean verify(data){
return true;
}
Scenario 2, verification on the server:
public boolean verify(data) {
return verify("https://verify.server.com",data);
}
Attacker replaces with this:
public boolean verify(data){
return true;
}
So the only way this makes sense is if the purchased product is also provisioned from the server, right? If it's unlocking a feature, you would have to download something from the server that the feature can't work without, otherwise the attacker can just decompile and verify the purchase (or decompile and turn on the feature, skipping the purchase).