Android is being developed rapidly and the spreading update to Android Marshmallow is a lot different. In this article we’ll try to briefly cover everything you need to know about recently introduced Runtime Permission including how it should be implemented.

The New Runtime Permission

Android’s permission system is one of the biggest security concerns all along since those permissions were asked for at install time. Once installed, the application will be able to access all of things granted without any user’s acknowledgement what exactly application does with the permission.

No surprise why there are so many bad guys trying to collect user’s personal data through this security weakness and use it in the bad way.

Android team also know this concern. 7 year passed, finally permission system is redesigned. In Android 6.0 Marshmallow, application is not granted any permission at installation time. Instead, application has to ask user for a permission one-by-one at runtime.

Bekitzur: How to implement custom runtime permissions in Android 6.0 including automatically granted permissions, editing AndroidManifest.xml for API above level 23.

Please note that permission request dialog shown above will not launch automatically. Developer has to call for it manually. In the case that developer try to call some function that requires a permission which user has not granted yet, the function will suddenly throw an Exception which will lead to the application crashing.

Besides, user is also able to revoke the granted permission anytime through phone’s Settings application.

It’s not easy to implement properly but our developers have done this numerous times. First thing to consider is user’s data security and privacy so it’s worth writing a bit of additional code.

New Runtime Permission will work only when the application’s targetSdkVersion is set to 23 which mean it is declared that application has already been tested on API Level 23. And this feature will work only on Android 6.0 and newer. The same app will run with same old behavior on pre-Marshmallow device.

What happened to the application that has already been launched?

If the application’s targetSdkVersion is set to less than 23, it will be assumed that application is not tested with new permission system yet and will switch to the same old behavior: user has to accept every single permission at install time and they will be all granted once installed.

As a result, application will run perfectly like before. Anyway please note that user still can revoke a permission after that! Although Android 6.0 warn the user when they try to do that but they can revoke anyway.

Letting our application not to work perfectly on new device is not acceptable. To make it work perfectly, application should be modified to support this new permission system.

Automatically granted permissions

There is some permission that will be automatically granted at install time and will not be able to revoke. We call it Normal Permission (PROTECTION_NORMAL).

Those permissions should be simply declared in AndroidManifest.xml and it will work just fine. No need to check for the permission listed above since it couldn’t be revoked.

Now it’s time to make our application support new Runtime Permission perfectly.

In this example, we try to add a contact with a function below.

 private static final String TAG = "Contacts";
private void insertDummyContact() {
// Two operations are needed to insert a new contact.
ArrayList operations = new ArrayList(2);
// First, set up a new raw contact.
ContentProviderOperation.Builder op = ContentProviderOperation.newInsert(ContactsContract.RawContacts.CONTENT_URI)
.withValue(ContactsContract.RawContacts.ACCOUNT_TYPE, null)
.withValue(ContactsContract.RawContacts.ACCOUNT_NAME, null);
// Next, set the name for the contact.
op = ContentProviderOperation.newInsert(ContactsContract.Data.CONTENT_URI)
.withValueBackReference(ContactsContract.Data.RAW_CONTACT_ID, 0)
"__DUMMY CONTACT from runtime permissions sample");
// Apply the operations.
ContentResolver resolver = getContentResolver();
try {
resolver.applyBatch(ContactsContract.AUTHORITY, operations);
} catch (RemoteException e) {
Log.d(TAG, "Could not add a new contact: " + e.getMessage());
} catch (OperationApplicationException e) {
Log.d(TAG, "Could not add a new contact: " + e.getMessage());

The above code requires WRITE_CONTACTS permission. If it is called without this permission granted, application will suddenly crash.

Next step is to add a permission into AndroidManifest.xml with same old method.

Next step is we have to create another function to check that permission is granted or not. If it isn’t then call a dialog to ask user for a permission. Otherwise, you can go on the next step, creating a new contact.

If any permission in a Permission Group is granted, another permission in the same group will be automatically granted as well. In this case, once WRITE_CONTACTS is granted, application will also grant READ_CONTACTS and GET_ACCOUNTS.

Source code used to check and ask for permission is Activity’s checkSelfPermission and requestPermissions respectively. These methods are added in API Level 23.

 final private int REQUEST_CODE_ASK_PERMISSIONS = 123;
private void insertDummyContactWrapper() {
int hasWriteContactsPermission = checkSelfPermission(Manifest.permission.WRITE_CONTACTS);
if (hasWriteContactsPermission != PackageManager.PERMISSION_GRANTED) {
requestPermissions(new String[] {Manifest.permission.WRITE_CONTACTS},

If permission has already been granted, insertDummyContact() will be suddenly called. Otherwise, requestPermissions will be called to launch a permission request dialog like below.

No matter Allow or Deny is chosen, Activity’s onRequestPermissionsResult will always be called to inform a result which we can check from the 3rd parameter, grantResults, like this:

public void onRequestPermissionsResult(int requestCode, String[] permissions, int[] grantResults) {
switch (requestCode) {
if (grantResults[0] == PackageManager.PERMISSION_GRANTED) {
// Permission Granted
} else {
// Permission Denied
Toast.makeText(MainActivity.this, "WRITE_CONTACTS Denied", Toast.LENGTH_SHORT)
super.onRequestPermissionsResult(requestCode, permissions, grantResults);

This is how Runtime Permission works. To make your application works perfectly with Runtime Permission, we have to handle all the cases with the same method shown above.


We believe that you see the big picture of this new permission system quite clear right now. Runtime Permission is widely used in Android Marshmallow. Only thing we could do right now is to make our application fully support this new permission system.

Good news is there are only few permission that requires Runtime Permission flow. Most of the frequently-used permissions, for example, INTERNET, are in Normal Permission are automatically granted and we have no need to do anything with them. In conclusion, there are just few part of code that should be modified.

In case code is structured well, the modifications required to properly handle custom permissions should not take much time for any experienced mobile developer.

Talk to Us