Long gone are the days when Android developers used to give app permissions by adding only one line of code in the manifest file. This is no more possible because Google now cares more about user’s privacy and security and so they have added some extra layers of security by changing the way an app obtains permissions. Starting from Marshmallow and continuing with Nougat, by default an app has got no permission to anything at all. Now, an app has to get permissions from the user to get access to resources that it needs. This is usually done when an app was installed.
Google documentation states that each app runs in its own sandbox by creating a linux user id for each app. But we don’t necessarily need to understand that in detail to work with permissions. If you are interested you can read the Android Documentation for more details on that. Google suggests that you don’t request all the permissions at once but wait until the user does something that needs a permission before asking them for it. It makes more sense to the user that way and it gives user more control over deciding which permission to give. It is worth looking at Google’s definition of normal and dangerous permissions in their training section. All those that are categorized as normal permissions can be dealt with adding the same line of code to the manifest file and the app will work on all Android versions that the developer is targeting.
For example, if your app needs to access internet, luckily it falls under normal category and all the code you need to add in the manifest file is this:
<uses-permission android:name="android.permission.INTERNET" />
However, if you want to access a resource that has been categorized as dangerous there are several steps involved to request the user to grant permissions. A most common example is to access user’s location. This involves many steps which are discussed in my other post about Marshmallow Maps Permissions.