“Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs.”
It’s the unencrypted http protocol used by the ClientLogin that allows for the user’s password and username to be easily sniffed. The scale of this is pretty big as the researchers further explain:
“For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures. This is not limited to items currently being synced but affects all items of that user.”
Luckily, it seems that the secure https protocol has been implemented for the calendar and contacts authentication in Android 2.3.4, but pictures synced through Picasa could still be a subject to the attack. To minimize the chance of having your data stolen, you could avoid using public open Wi-Fi networks or turn off automatic syncing from the Settings menu in your Android device. Hopefully, Google will release a fix for the issue now as the research has been published, but in the meantime let us know your opinion. Is that a serious issue for you?
source: University of Ulm via TheNextWeb