Isn't this only an issue if your app is submitting receipt validation requests directly from the device to Apple's validation server? E.g.<p><pre><code> device -> itunes.apple.com/verifyReceipt
</code></pre>
I thought the best practices for receipt validation involved having your app submit the receipt to your own server first, and then performing the receipt validation with Apple on the server side. E.g.<p><pre><code> device -> yourownserver.com -> itunes.apple.com/verifyReceipt
</code></pre>
In which case, even if someone man-in-the-middle's apple.com on their device, it doesn't affect the receipt validation that you perform server side. Or am I misunderstanding something and the hack is occurring at a lower level than that?