A common reason that security problems arise is the lack of consistency in designing and implementing software, especially the system security mechanisms. This talk will cover three related pieces of work on analyzing inconsistencies in Android OS that lead to security flaws of apps and system services. Specifically, the inconsistencies are in the form of (1) offering inter-process communication (IPC) mechanisms with inconsistent (strong/weak) security guarantees; (2) failing to make sure all paths to protected operations are covered; (3) misplacing trust on code or data. Through statically analyzing a large number of apps and system services (from Google and third-party vendors), we identified dozens of vulnerabilities and most of them result in patches.