Android hybrid applications use the Web Kit engine on Android platform to render Web contents and process JavaScript codes, and enable JavaScript codes to access device sensitive resources and native APIs. Therefore, hybrid applications will bring different security issues compared to native applications. The existing privacy leak detection methods for Android native applications cannot be directly applied to hybrid applications. In addition to the Dalvik Virtual Machine (DVM), hybrid applications may also spread privacy in the WebView component, which increases the scope of privacy dissemination and increases the difficulty of taint tracking. We delve into the different characteristics of privacy spreading on the DVM, Webkit engine and JavaScript engine of hybrid ap-plications. We propose HTDroid, an efficient dynamic taint tracking system for hybrid applications. The core idea of HTDroid is to spread the taint tags in the DVM to the Web Kit engine, and add the function of tracking the spread of taint data to WebKit engine and JavaScript engine through source code instrumentation. Our experiments show that HTDroid can run on both Android emulators and devices and effectively detect privacy leaks in hybrid applications and can deal with the two ways of privacy leaks in hybrid applications while existing TaintDroid cannot. Compared to the original Android system, HTDroid incurs only 22% performance overhead on CaffenieMark benchmark and impose 4.3 % overhead on J avaScript V8 engine benchmark, which is acceptable for run-time taint tracking.