Because it is the developer who knows which permissions his application has.
Consider this: a developer does not want his app to access contacts and yet, by mistake, the app accesses them.
If permissions are detected from code, not stated explicitly, such an error would pass unnoticed.