Up until Gingerbread 2.3.4, Android sent authTokens for Contacts, Calendars, and Picasa in clear text. An “authToken”, as you’d expect, is an “authorization token”. It’s essentially your username and password rolled into one which authorizes your login to a particular service — and it does so without having to send either username or password to do so. With me so far?
That’s fine as long as you’re on an encrypted and trusted network, but if you have someone (or something, like a Trojan) on your encrypted network, or if you’re using an unencrypted network (like a public Wi-Fi access point), your authorization token is sent in the clear. Put simply, a person on that network could sniff our your authToken and have access to your personal information.
Android Gingerbread 2.3.4 already addresses the problem, but all the other versions of the OS are at risk.
Google is already hard at work putting a fix together — you will probably have it on your device within the next few days. What’s more, the fix will be applied via a “stealth update” meaning neither you nor your carrier will have to do anything to deliver or apply the patch. You probably won’t even know that it’s been applied.
Currently, the fix will work for Contacts and Calendars, but fixing the problem on Picasa will take some more time.