The popularity of Android makes it the prime target of the latest surge in mobile malware. Protecting privacy and integrity of information is helpful for Android users. Currently, malicious software often achieve the purpose of privacy theft and malicious chargeback by sending short messages, making phone calls or connecting Internet surreptitiously. We develop a novel solution that supports multiple security policies to provide much of the integrity and privacy that users desire. We present and implement a security framework for Android which consists of both mandatory access control in the kernel layer and role-based access control in the framework layer. It allows users to define their own security policy and provides fine-grained access control to (untrusted) applications. We implemented a prototype system MPdroid for Android 4.0 platform. Experiments show that we can apply this solution to really help users control applications, block malicious software without significant performance overhead.