Data security is something often taken for granted when it comes to login and password combinations, with the user generally assuming the login system is secure from end-to-end. Unfortunately due to a convenience system implemented in Android 2.3.3 and below, these login credentials can be inadvertantly exposed to anyone listening. The vulnerability was first spotted in Android several months ago and patched for some specific programs, but still affects Google Calendar, Contacts, and possibly other accounts.
Typically login transactions are done through a secure connection which is encrypted from end-to-end, with the data unintelligible to any internet “hop” that passes it on from server to server before it reaches its destination. In this case, Android utilizes an “authToken” which allows the device to use the existing login credentials for up to 14 days without having to re-login. A potential attacker must only control one “hop” between your device and the login server in order to intercept the un-encrypted traffic, and obtain your login authToken. These authTokens are generally considered safe to use if transmitted over a secured connection, however in this case the connection is un-secured. The most vulnerable point of attack being un-secured Wi-Fi access points where the attacker could be somewhere out of sight or even have a device deployed to connect the authTokens automatically, but any network remains potentially vulnerable as packets are out of your control once they leave your local area network.
Google is aware of the vulnerability and has already addressed it in Android 2.3.4 and Honeycomb, however the majority of deployed devices (99% according to Google’s statistics) do not run these builds and so remain vulnerable.