Step 1 :
You’ll also need to declare Permissions in your AndroidManifest.xml file. There’s no change here. Whatever permissions your app has always needed should be declared in your AndroidManifest.xml file with the uses-permission tag.
Step 2 :
Verify Permissions before calling APIs
You have to actually request and check if the permission was granted by user to use.
So permissions in manifest file will only work for api below 21.
Check this code for a snippet of how permissions are requested in api23
Normal and Dangerous Permissions
System permissions are divided into several protection levels. The two most important protection levels to know about are normal and dangerous permissions:
Normal permissions cover areas where your app needs to access data or resources outside the app's sandbox, but where there's very little risk to the user's privacy or the operation of other apps. For example, permission to set the time zone is a normal permission. If an app declares that it needs a normal permission, the system automatically grants the permission to the app. For a full listing of the current normal permissions, see Normal permissions.
Dangerous permissions cover areas where the app wants data or resources that involve the user's private information, or could potentially affect the user's stored data or the operation of other apps. For example, the ability to read the user's contacts is a dangerous permission. If an app declares that it needs a dangerous permission, the user has to explicitly grant the permission to the app