On iOS the folder where your settings are saved are not visible outside the app. If you turn that on, then you could get to it from iTunes, but as long as you leave it out of your build.settings, casual viewers won't be able to mess with it. You have to have a jailbroken phone on iOS for people to do this. I'm not that worried about iOS as much as I am Android. Way more people **root** their Android devices increasing the probability that they could go poking around.
There are techniques that you can use, like come up with a pass phrase and run it through an MD5 hash routine that will spit out a long hex number. If you're on a Mac this is easy to do, if not there should be a website that will generate the MD5 hash for you. Create a phrase, in my instance I'm going to use the phrase "fred&barney". From the terminal on your Mac do:
echo "fred&barney" | md5
It will output:
You can then store that in your json file and give it an obscure key, i.e. if you have a table called settings that holds your settings do:
settings.plugh = "35f12d715b663fab1e30ddfd7b29d00d"
Then in your app, check to see if settings.plugh matches "35f12d715b663fab1e30ddfd7b29d00d" and you've made it not so obvious that this is your free vs. paid key. If they try and hack the value, it most likely won't match. You can add in a bunch of other random keys and MD5 strings to obscure things even more.
But this is only going to stop the casual person. A good hacker will look at the file, pay for it, see the difference and then publish the difference for their friends to use. So this is by no means fool proof. The recommended way is to store the receipt you get back from IAP on a remote server and then check your saved version of the receipt with the server hosted version and if they match, then unlock things. But this of course only works if you have connectivity.