Before starting, to secure IAPs you need to have your own webhosting!
Purchases must be validated before awarding the user. There are two options available to do this:
Local: This option is used in both IAP extensions from YoyoGames (Android and iOS). The validation is done locally. Users with root access can use apps that bypass the payment system and fake the validation.
Server: You need to setup a server to validate purchases. This makes the process more secure. The extension will call the php file on your server and the validation happens there.
How to use?
If you have any suggestions or found a bug, please let us know so we can improve our product! Rating and sharing will be appreciated! :)