Soomla and Security

Did your friend actually go through and complete the transaction? Editing the game file using a hex editor, and updating what prices are shown in the game is not the same as changing the transaction price. The actual transaction is taking place on the server side. Hex editing shouldn't impact the value of the transaction that is finally completed.

However, things will be different if the IAP request is routed to a private server pretending to be the IAP provider.

The answer suggested below by @y_nizan is one way to make it harder to cheat. Grow has an excellent feature of server side verification. However, you have to realize that Unity does not obfuscate your code, and its actually very easy to extract almost verbatim (along with you game assets). A skilled hacker can simply modify the source, and repackage it to give him IAP benefits for free.