I installed the Airbnb on my Nexus 5 device running Marshmallow preview 3 and was playing with the permission model. I found one great oddity while using their app.
Normally, if you get the the email accounts registered with the device using the AccountManager getAccounts() method you need to have the GET_ACCOUNTS permission enabled for it to work.
However, in their app, even if I revoke the GET_ACCOUNTS permission, they are still able to get access to the email accounts registered which in all honesty is really strange o.O (they have an autocomplete feature in email log in).
Doesn't that defeat the purpose of having a runtime permission model?
Airbnb does not target API 23, therefore they do not use runtime permissions (you can see this at install time when the list of permissions comes up). Instead, they follow the compatibility model where users can still disable permissions to the app in ways that won't crash.
The compatibility mode, however, does not (as of Developer Preview 3) allow users to disable use of GET_ACCOUNTS. In fact, if a developer not targeting API 23 does not use any other runtime permission in the CONTACTS group, the Contacts group won't even appear to be disabled (even though technically it would include GET_ACCOUNTS).
Of course, once Airbnb moves to target API 23 and use runtime permissions, then they'll need to request the Contacts permission group to use GET_ACCOUNTS if they want to retrieve any account other than their own.