Mobile applications can access various sensitive personal data stored on mobile devices. This gives rise to threats of data leaks. App auditing is a fundamental program analysis task to reveal data-leaking code paths. Currently, static analysis is the de facto technique in use since it can pinpoint problematic data flows in the whole program. However, static analysis generates false alarms for being over-estimating and requires manual validation. Also existing approaches need minutes or even hours to examine an app, which causes obstacles to be used on mobile devices or development machines and requires lots of resources for market-scale use cases. To overcome these limitations, we design AppAudit to use an efficient but over-estimating static API analysis first and then relies on a dynamic analysis to prune its false positives. Overall, AppAudit achieves a low false positive rate as the dynamic analysis only explores possible code paths during real execution. AppAudit also achieves short analysis time by combining an efficient static stage with a highly parallelizable dynamic stage. AppAudit enables three important use cases with its improved accuracy and performance. First, market operators can get rid of tedious human checks and fully automate the app auditing task with fewer resources than before. Second, app developers can quickly perform self-check before publishing apps, to avoid using data-leaking 3rd-party libraries. Third, mobile users can scan an app from untrusted sources before installation and get real-time auditing results. We apply AppAudit to more than 1,000 known malware and 400 real apps from various markets. Overall, AppAudit reports as many data leaks as existing approaches, while eliminating all false positives, being 8.3x faster and using 90% less memory. AppAudit also uncovers 30 data leaks in real apps and reveals the common properties behind these leaks. We find that most leaks are caused by 3rd-party advertising libraries and they commonly utilize HTTP requests to leak data. We believe AppAudit serves as an effective tool to annihilate data-leaking apps and provides guidance to design promising runtime techniques against data leaks.