Alex, sorry you are running into this. This is a bug in the SDK that we are working on fixing prior to the final release. In the meantime, there are a couple of workaround approaches you could try.

1. While the Session object’s notion of its permissions is out of sync with the Facebook service, the access token associated with the Session still has those permissions and can still be used to make Graph API calls requiring any of the permissions it has been granted (unless the user has subsequently revoked any of them, of course). So if your application logic allows you to disregard the results of the Session.getPermissions() call (for instance, if your UI flow implies the user must have already granted a certain permission prior to reaching a certain step in the flow, so you can assume it is present), you can go ahead and make Graph API calls that require those permissions regardless of what getPermissions says — real truth about what permissions are associated with the token lives in the service, not in the Session object.

2. If your app logic is such that you need to check whether a certain permission has been granted, unfortunately right now you may need to keep track of the permissions separately,
   perhaps by declaring an ArrayList<String> somewhere that you append the new permissions to, perhaps in your Session.StatusCallback whenever the session is opened, and clear it whenever the session is closed. (You could also make a call to “me/permissions” each time the state transitions to OPENED_TOKEN_UPDATED and store the results.) This should be considered only a temporary workaround until the real fix is available. Hope this helps.