Apparently, any Android phone (hate to knock on Android) that is running anything before 2.3.3 (read, just about every phone out there at this point) is transmitting Google login credentials in plain text. Not a problem if you’re using the cell network, or an encrypted wifi hotspot. But if you’re on an unencrypted hotspot such as a coffee shop, then someone could be stealing your Google Login credentials.
The way Android works too, is that as soon as it gets the new wifi connection, it’ll initiate a sync which will transmit the login details to Google’s servers. But if someone is smart, they can trap those credentials and impersonate you to Google’s servers.
The cure? Don’t use unencrypted Wifi networks.
Here is an article on the subject which did a good job of illustrating the issue and solution. http://download.cnet.com/8301-2007_4-20063792-12.html?part=rss&subj=news&tag=2547-1_3-0-20