The Face authentication component in Aware mobile liveness 2.2.1 sdk 2.2.0 for Knomi allows a Biometrical Liveness authentication bypass via parameter tampering of the /knomi/analyze security_level dropping it down and getting an approval score (100%) back from the server.
The exploitation is also possible reverse engineering the sdk base changing the security_level parameter to achieve the OK from the server. The server does not properly validate the value sent by the SDK.
[Vendor of Product]
Aware - https://www.aware.com/
Exploit:
https://drive.google.com/file/d/1-0X8foCwjR3RmL_7UJcgOFYrwKOjYZQL/view