With Android 6.0 Marshmallow (API 23) Google has finally included a new permissions model similar to iOS.

What's new?

The new model is quite a change for app developers, because they have to handle permission requests at runtime and can't rely on the fact that they are automatically granted by installing the app. In addition users can revoke them at any time.

This means you have to handle new situations:

  • your app still has to work even when the user denies the permission.
  • the user may revoke permissions later on.
  • you can explain yourself why your app needs the the requested permission.

Explain yourself

As a developer it is important to explain why you need the requested permissions. This helps to build up trust in your app. Major apps are doing this by using the two dialog system. The first dialog explains why the permission is needed and the second one is actually the system permission dialog.

Here is an example how twitter handles the permission requests:

The most important part is that the app should still be working even when a user doesn't accept a permission check. You also need to handle the fact that it can be manually revoked afterwards.

It's important to check for permissions every time you need them!

Check permissions at runtime

Here is a short example how to implement the new permissions system. You can check if the appropriate permission is granted by calling the checkSelfPermission method.
shouldShowRequestPermissionRationale() is a utility method to find out if the app has requested this permission previously and the user denied the request. It tells you if the user selected a checkbox to be never asked again for the permission or the device policy prohibits the app from having the permission.

if (ContextCompat.checkSelfPermission(this,  
  Manifest.permission.READ_CONTACTS) != PackageManager.PERMISSION_GRANTED) {
    if (ActivityCompat.shouldShowRequestPermissionRationale(this, Manifest.permission.READ_CONTACTS)) {
        // explain permission to the user by showing a  
        // message dialog but don't block the ui thread!
    } else {
        // no need to explain, ask for permission directly
        ActivityCompat.requestPermissions(thisActivity,
                new String[]{Manifest.permission.READ_CONTACTS},
                MY_PERMISSIONS_REQUEST_READ_CONTACTS);
    }
}

When the user answers to the permission request the app's callback method will be called. You can override this method in your activity to evaluate the result:

@Override
public void onRequestPermissionsResult(int requestCode, String[] permissions, int[] grantResults) {  
    switch (requestCode) {
        case MY_PERMISSIONS_REQUEST_READ_CONTACTS:
            if (grantResults.length > 0 && grantResults[0] == PackageManager.PERMISSION_GRANTED) {
                // permission granted
            } else {
                // do stuff without the permission
            }
        break;
    }
}

At last I want to recommend the Youtube Video from Google Dev. It shows the basics how to integrate runtime permissions into your Android app: