Well, that only took one media firestorm. Google, in response to widespread reports of a potential credential security hole in Android (which not only affects Android, but any OS using authTokens), is starting to roll out a fix for the public Wi-Fi vulnerability to all affected Android devices today. Google's statement, below:
Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.
The vulnerability could only be exploited on public Wi-Fi networks - either by a sniffing attack, or SSID spoofing (a much more common method), and allowed an attacker to take a user's authToken for a particular service (eg, Calendar, Twitter, Facebook, etc.), and then use it to log in to the respective service and engage in whatever unscrupulous behavior they so desired.
The hole has already been plugged in Gingerbread 2.3.3, as well as in Honeycomb, but the number of Android devices running those versions of the OS is obviously miniscule. Clarification: The fix is going out server side - meaning local authTokens will be erased and replaced with new (secure) ones upon logging back in to the affected service. Thanks to commenters for pointing this out.