Increased Granularity in Android Runtime Permissions

Increased Granularity in Android Runtime Permissions Image

Google recently unveiled their new Nexus phones and have begun the launch of Android Marshmallow. In this blog I’m going to talk about what I think is the most important added feature in Android Marshmallow: Runtime Permissions.

You may recall the scenario where you want to install an Android app and the Play Store asks your permission for all of the actions the app may take in future. And you have to agree to them now, or you aren’t able to install the app.

Consider a location-based app which needs to have access to internet and the device’s location. This app should have the uses-permission tags in the manifest file as below.

<uses-permission android:name=”android.permission.INTERNET” />

<uses-permission android:name=”android.permission.ACCESS_COARSE_LOCATION” />

Normally the following screen would be the first screen that you see when you want to install the app.



And by giving these permissions to the app, it can have the authority to use Internet and get the device’s location throughout its lifetime.

However, since Android M (Marshmallow), apps have to ask for a permission at runtime if they need it. That is, if the app that we described above wants to get the current location of the device, it has to ask the user’s permission from within the app.

The following message (dialog) is one of the dialogs that we will see frequently in near future.


Although the app asks about these permissions at runtime, Android still shows the list of all of the permissions that developers define in the manifest file on the installation screen.

You may ask what happened to the Internet permission? Why there is no message for its usage in the app?

Permissions have different protection levels. Permissions defined in the manifest file which fall under the “normal” protection level category are granted if the user installs the app. Internet permission falls into this category. On the other hand, permissions which are considered as “dangerous” need the user’s acceptance when they are required. Therefore, the previous app does not have to worry about asking user about the permission for Internet, but it has to ask permission to get the user’s device location.

The Android developer guide has more details on defining permissions and understanding protection levels.

Another important note is that if the targetSdKVersion of an app is set to 23 – which is the API level of Android M – or higher, it has to be careful about adopting runtime permissions procedure. Your application will need to account for users potentially denying you certain permissions. Apps with a targetSdkVersion below 23, do not have to worry about asking permissions at runtime, though it is still possible for a user to revoke a permission after it has been installed.

Android is headed towards granularity of permission assignment, which is a good thing. This will gives users more confidence when installing an application and builds trust between users and apps.