Smartphone apps are usually unprivileged and need user permission to access protected system resources. Specifically, the existing Android permission system will check whether the calling app has the right permission to invoke sensitive system APIs. Although the inter-application communication in Android gives applications the ability to reuse components from other applications, it also results in a Confused Deputy attack [1] which means a less privileged application can start components in a privileged application. In this paper, we present ChainDroid -- a permission management system combining call chains with access policies to provide safe and flexible access to system APIs. First, when a protected system API is invoked, we construct the call chain which records call relationships among components to prevent unprivileged applications' access. Second, we create an access policy file for each system API. Unlike other access polices providing attributes merely associated with system APIs, the policy in ChainDroid is based on call chains and therefore constraint attributes (e.g., the maximum number of applications in a chain) are put on the call chain for a certain system API. To facilitate the user's operation on ChainDroid, we also create an application for the user to set constraint attributes for the target system API. The results show that ChainDroid prevents the Confused Deputy attack with little impact on system performance.