Mobile computing platforms, like smartphones and tablet computers, are becoming a commodity nowadays. To simplify development for these devices it seems like a good idea to offer a middleware solution so developers can pool common functionality into plugins, thus saving space on the device while enabling easier development of more functionality. However, mobile platforms like Android never expected integration in the sense, that one application would dynamically host pieces of code from different vendors and allow access to other applications, since doing so basically circumvents many built-in security measures of the operating system. The already existing Ambient Dynamix Framework was chosen as a sample implementation for a middleware solution for this work, since it provides a modern platform for Android and is entirely open source. However, with a solution like this, several problems arise: Android only provides a per-application permission system that does not allow to separate code inside a single application from other pieces of code. It is also difficult to prevent applications from accessing services provided by another application. Finally, the plugins coming mostly from remote sources need to be authenticated as various attacks could allow to intercept the download and replace a benign plugin with a malicious one, or even set up a completely malicious repository that could lead to a total compromise of a device. So, the first step is to thoroughly understand the Android security model and the relevant differences to the desktop Java platform. Knowing those, a solution needs to be found that does not require any type of modification to the Android operating system. APIs may be used to gain information about the applications and their rights in order to prevent privilege escalation. For the task of preventing downloaded plugins from misbehaving, we will employ static code analysis. In the course of this work, solutions for the problems are given. The Android security architecture is leveraged to introspect calling applications and assert their permissions. Two libraries have been created to check if there are differences between requested permissions of plugins and another one to handle signing of the plugins from the sources to prevent fraud.