This is one of those weaknesses about 3rd party dependencies on Android. Unless business and product teams value user privacy and permissions, they usually could care less than vendor X's library requires permissions to read phone state or contacts when your app itself doesn't need it. Esp. given that iOS treats permissions differently, the distinction is often ignored in favor of whatever iOS does. To those managers, the fact that Android doesn't ask the user about using a permission is a happy coincidence.