Revenue Cat iOS - How do I validate purchases so that jailbroken iPhones can't crack the In App Purchase?

Question

I just released an app for iOS and I used Revenue Cat to help with IAPs. I just found out that anyone with a jailbroken iPhone can make fake purchases that give them the "goods" without making a payment. Does Revenue Cat have a way to verify and make sure this doesn't happen?

Here is the code for when a certain is made in the app (button press):

guard let package = offering?.availablePackages[2] else {
    print("No available package")
    return
}
Purchases.shared.purchasePackage(package) { (trans, info, error, cancelled) in
    // handle purchase
    if trans?.transactionState == .purchased {
        if let currentUser = Auth.auth().currentUser {
            var ref: DatabaseReference!
            ref = Database.database().reference()
            ref.child("users/\(currentUser.uid)/score").getData(completion:  { error, snapshot in
              guard error == nil else {
                print(error!.localizedDescription)
                return;
              }
              let score = snapshot.value as? Int ?? 0;
                let newScore = score + 100
                ref = Database.database().reference()
                ref.child("users").child(currentUser.uid).updateChildValues(["score": newScore])
            });
       }
    }
}

Answer 1

Incrementing the score from the client is not very secure. You could listen for RevenueCat webhooks and update the score server side on a successful purchase or renewal. The webhook will only be dispatched from RevenueCat on a valid purchase that's securely verified with Apple.

Another approach to this would be to ping your server in the purchase completion block to check RevenueCat for the latest purchase status. So you ping your server, then from your server you call RevenueCat's GET /subscriber endpoint and make sure the score has been updated. Webhooks then could be used as a redundancy mechanism.