When Android devices are used to access web-based services, such as Gmail, they receive authentication tokens. But some of these tokens are sent in plain-text, making them easy to read if captured.