The other thing is that you're dependent on the validation server's availability to check the receipts. Apple's got great uptime in this respect (and others), but there have been outages (a big one last September: http://www.ilounge.com/index.php/news/comments/app-store-suf...).

It's a tradeoff, really, that most IAP implementors consider:

Cost of support and loss of goodwill when legitimate customers run into issues vs. loss of revenue from pirates (heretofore only jailbroken phone users) who likely wouldn't have purchased anyway.

It makes fiscal sense for big players with big IAP scale like Zynga to strictly validate. Little players may find it is less critical to the bottom line to be strict about it.

You're also dependent on Apple's purchasing servers to buy the content to begin with, so I'm not sure I see the point.

Why do you say it's a pain to implement? It's an HTTP+JSON API, and there's only one error code you have to care about:

If the value of the status key is 0, this is a valid receipt. If the value is anything other than 0, this receipt is invalid.

http://developer.apple.com/library/ios/#documentation/Networ...

+1 Totally agree, it is actually pretty easy and worth it if you already have to have a server. If you don't already have a server, then it probably isn't worth adding one.

Apple does not require it because its not their job. Its the app developer that's losing money because of this not Apple. They provided a way to do it right.

I wonder if Apple will start using certificate pinning[1] (like chrome does for google certs).

[1]: http://www.imperialviolet.org/2011/05/04/pinning.html