(I guess I should clarify that this is an analogy, and that the same applies for desktop software. Dial home = one extra layer against piracy if someone pirated the app.)

There is an inapp purchase cracker on cydia now... Most apps dont actually check to make sure you purchased the content.

Most iOS apps use a standard set of system calls to check if the item has been purchased. I assume the hack works by patching the systems calls to return YES to all queries about in-app purchase items. That's how I would do it if I was building something like that. There are no tokens or keys to validate... it's just "hey system, is this paid for? okay!"

There's an option to do server-side receipt validation. That should prevent a hack like that.

Also, checking for the purchase status of an item that can't be bought would be a cheap and easy place to start.

Easy to get around with a custom crack, but it should actually be pretty effective against a blanket 'just return yes' crack.