Security best practices with IAPs and multiplayer

Before I dive deep into the weeds, I wanted to reach out and see if anyone had implemented something similar before to an iOS/Android game.

My game will have:

• A customisable character with IAP cosmetics
• Multiplayer where players can see each-others characters
• No user-login

The game is not competitive, but I would like to protect against hackers figuring out a way to pretend they have certain cosmetics even though they haven't purchased them.

A couple of ideas I had for implementation:

1. When joining a multiplayer game, each player sends their characters cosmetic list across the network. This is by far the least secure but easy to implement.
2. When an IAP is purchased, the client sends an API request with their device ID and the item purchased to our own server (i.e. Firebase) where we store this information. Then when joining a multiplayer game, they just send their device ID and each user makes a request to fetch their known purchases from the server. This is still not very secure because the initial API request can be faked.

Is there some other easier and/or safer way to do this?

 

You might consider cloud save providers like ChilliConnect or Playfab

 

Thanks, PlayFab was perfect.