[freedomben]

Not really, not anymore. Many apps are now using certificate pinning to make it impossible for the user to to modify the trust store. This means that unless it is open source, it is very difficult for people to verify, even when they know very well what they are doing.

[Technetium]

There's always a way, even if it's a lot more painful now! https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-00...

[zerr]

But you can verify that the app does not use the network at all, right?

[freedomben]

Yes you could, although the bar is still a lot higher than if it's open source. You will have to fully re-test all possible paths in the app every time a new release is made if it's closed source. If it's open, you just need to look at the git log.

Plus if there is one legitimate network call, then this strategy is out since you can't know what that request contains. OP using in-app purchases, so I'm willing to be there's at least one network call in there.

If there is no network access permission at all, then I think we agree, that's a reasonable guarantee.

[zerr]

Interesting if in-app purchase is registered as the app network access vs Google Play services network access.