@sam.oen It depends on your use case. You can use in-app payments without own server if all in-app purchases are completely local. But people with root devices can hack it and buy something without payment.

gildor: Thank you. I think my purchase is 'local', it lets you see an extra screen in the app. So maybe a hacker gets to see that screen for free? Oh well!

Even if you check payment using auth server there is no 100% guarantee, that somebody hack application itself (change code of app to skip check or something similar). But of course it requires more work for hacker, because GP fake payments on rooted device require no additional work at all But you of course can add some additional protection, for example prevent app to run on rooted devices or some other similar tricks to detect that user want to hack you. Also maybe Google Play Licensing could help https://developer.android.com/google/play/licensing/index.html