Fascinating. If it really isn't sending the face images, spoofing the verification could be as simple as returning a boolean to some API.