The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.[..]
With more than 99 percent of carriers offering their users Android versions with known security weaknesses, the report demonstrates how little success Google has had in getting its partners to upgrade to the latest versions. Many Verizon Wireless customers, for instance, remain stuck with Android 2.2.2, despite containing vulnerabilities that have been known about for months.
If there'd only be a mobile phone OS where security fixes could be pushed out to customers without various companies standing in the way... But I guess that's the price you have to pay if you want to be "open".
