Excerpt from a Security Curve Android reality check
The 99.7 percent of phones are the ones that will not submit the authtoken in question over HTTPS. So, the point is: if you use your Android phone on a WiFi network, and that network isn’t protected, someone could steal the token and use it to get access… just like they could with quite a large number of other traditional web sites, by the way. I’m not downplaying the problem here – it’s an issue because it’s behaving a way that is contrary to expected behavior. But my point is that the reality is slightly less panic-worthy than you might believe from reading the press coverage.