What are the benefits of hosted content for in app purchase?

Question

With iOS 6, Apple provides free hosted content for in-app purchase using StoreKit.

I would like to understand the benefits of this, especially in terms of security!

• If I have a pack of images to unlock, I can choose to host the images directly in the app, or in hosted content. Is it more secure to go with hosted content? My in-app purchase already verifies the receipt from Apple.
• Is there a chance that a hack can unlock the images directly in my app?
• If my pack of images is like 40MB, is it a good solution for the user experience to download the hosted content? With a not so good 3G connection it can be painful...

Thanks for your answers.

Answer 1

Apple offers some guidance on when to use hosted content or bundled content. I'm quoting from In-App Purchase Programming Guide: Delivering Products.

Embed smaller files (up to a few megabytes) in your app, especially if you expect most users to buy that product. Content in your app bundle can be made available immediately when the user purchases it. However, to add or update content in your app bundle, you have to submit an updated version of your app.

Download larger files when needed. Separating content from your app bundle keeps your app’s initial download small. For example, a game can include the first level in its app bundle and let users download the rest of the levels when they’re purchased. Assuming your app fetches its list of product identifiers from your server, and not hard-coded in the app bundle, you don’t need to resubmit your app to add or update content that is downloaded by your app.

These are guidance, not requirements, so if you have reason to believe that someone will make an in-app purchase with a large downloadable asset while they're on cellular, you might want to bundle it. However, this is wasting space on your user's device if they do not purchase to unlock it.

As for security, they have this note in the section regarding download objects.

Note: Download all Apple-hosted content before finishing the transaction. After a transaction is complete, its download objects can no longer be used.

This implies (although, does not explicitly state) that the downloads are only available with some internal authentication of the transaction. This means that it requires Apple's approval, which is actually more secure than checking the receipt locally (which can be bypassed using jailbreaks).