Hacking? You call this hacking?
If it's client based authorization, i.e. asking apple if something has been bought - it's only normal to be able to "hack", no much security can save the case.
If the application relies on the server (3rd party) to provide content then the hacking won't be viable. I really see no news here.
According to Borodin, only developers using their own servers to verify in-app purchases are able to dodge the hack.
I found that quote a bit later - and it has always been known to be the case. It's not possible to reliable authenticate anything without a 3rd party doing the authentication That's why there are root certs.
As a last note: If Apple is willing to sign explicitly all transaction tickets responses with a private key, then it will work. SSL alone can be fooled by root cert installation but an explicit offline public key - not so much.