Security Concern With Restoring In App Purchases

So, I have an app that has just been rejected by Apple because of not implementing a restorePurchases button for the user to restore any non-consumable items that they have bought.

Solution 1:

Apple addresses this in the In-App Purchase Programming Guide

Firstly, you can provide your user's account name with the purchase information to assist Apple to detect irregular activity -

Detecting Irregular Activity

The App Store uses an irregular activity detection engine to help combat fraud. Some apps can provide additional information to improve the engine’s ability to detect unusual transactions. If your users have an account with you, in addition to their App Store accounts, provide this additional piece of information when requesting payment.

Then, when it comes to restoring purchases you can provide this same user account information to restoreCompletedTransactionsWithApplicationUsername: method -

Restoring Completed Transactions

Your app starts the process by calling the restoreCompletedTransactions method of SKPaymentQueue. This sends a request to the App Store to restore all of your app’s completed transactions. If your app sets a value for the applicationUsername property of its payment requests, as described in Detecting Irregular Activity, use the restoreCompletedTransactionsWithApplicationUsername: method to provide the same information when restoring transactions.

Finally, you can use the receipt information on your server to correlate the original transaction with the restored transaction for the same userid and not restore the functionality if it doesn't match.