Android is a multiprocess system. Each application runs on top of the Android Dalvik machine. Each Dalvik machine runs on top of a Linux process. Each process runs in its own sandbox, which means it can access only the resources it creates. By default, each application is assigned a unique Linux user ID. It is possible to configure multiple applications to share the same user ID. This allows those applications to have the same permission to access the resources.
To access resources outside of the application sandbox, the application needs to request permission from the Android system. Most of the native components in Android have permission restrictions. The permissions requested in the application manifest are exposed to the user during installation. If a user allows installation of the application, then the permissions are granted. Permissions cannot be added after the application is installed. The permissions are defined under android.Manifest.permission. An application can grant permission to a given group using the permission tag in the AndroidManifest file.
androidsl - Tutorials for Beginners 