The app needs to target M in order to access to these granular permission.
An app targeting a lower API level will work in legacy mode where it gets its permissions at install time, like before.
I guess it makes sense in order to give enough time to the devs to update their apps to this new system.
As long as the checking/warning becomes more aggressive in N, I am fine with that choice.
According to the session after the keynote, you'll still be able to at least go back and revoke permissions individually for apps targeting older API levels.
And they will most likely crash if you do, because they are not expecting a SecurityException. I prefer the CyanogenMod way to just give out empty data, if a permission is not given by the user.
What you're calling the "CyanogenMod" way is actually what Google built, it's called AppOps. All CM did was expose it. The actual capability of permission revoking and handing out dummy data instead was all done by Google as part of AppOps and I assume that M is using that same system because it'd be silly not to.
yeah, but that way you can only remove the permission after the installation.
Facebook for example is known to siphon your contact list as soon as the app is installed, so even if you remove the permissions from the fb app, it is already too late.
