[stottc]

There's an option to do server-side receipt validation. That should prevent a hack like that.

[reitzensteinm]

Also, checking for the purchase status of an item that can't be bought would be a cheap and easy place to start.

Easy to get around with a custom crack, but it should actually be pretty effective against a blanket 'just return yes' crack.