Researchers have found a security vulnerability in Android 2.3.3 and earlier which could make it easy for someone to steal your credentials for Google Calendar, Facebook, Twitter, or other accounts when you connect to an unsecured WiFi hotspot. Google has fixed most of the problem with Android 2.3.4 — but few phones actually run the latest version of the operating system and it’s not clear if or when wireless carriers and device makers will push the software update.
Basically what happens is when you connect to a WiFi hotspot your phone will probably login to a number of online accounts and synchronize your data. It will retrieve an authentication token which contains your data — and which includes the text of your login credentials. If someone sets up a WiFi network with the express purpose of stealing your data and you connect to it unknowingly, you could be giving up your personal data.
While you’re waiting for an official fix, there are a few ways to protect yourself. You could disable WiFi on your phone any time you’re not near a wireless network you trust, such as your home or work network. You could also disable automatic synchronization when using an unsecured wireless network.
The researchers are also recommending that application developers update their programs to use https secure connections. While Android 2.3.4 users are mostly safe, photos in Picasa Web Albums are still synchronized using an unencrypted connection. Google is reportedly working on a fix for this problem. So even if you have the latest version of Android, you may want to avoid synchronizing your data over an open network.
via The Register
and here is why Google needs to be able to push updates to phones asap.