Sadly not too many details are published. Wouldn't be surprised if the main vulnerability was caused by applications blindly trusting any certificate - which happens to be a fairly common design pattern when dealing with Android. Sadly, a lot of popular signing authorities are not trusted by default in some versions of Android, and it isn't an easy task to get a user to add others.<p>There's several apps I've used where I've had no choice except to trust all authorities. I know the dangers of this, but I doubt most Android users do.
tl;dr: 8% of the top 13k apps don't verify SSL certificates.<p><i>The scientists began their research by downloading 13,500 free apps from Google Play and subjecting them to a "static analysis." Those tests checked whether the SSL implementations of the apps were potentially vulnerable to "man-in-the-middle" exploits, in which attackers are able to monitor or tamper with communications flowing over public Wi-Fi hotspots or other unsecured networks. The results identified 1,074 apps, or eight percent of the sample, that contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."</i><p><snip><p><i>The paper made no attempt to measure the security provided by apps available for Apple's competing iOS platform. One possible reason the researchers focused on Android apps exclusively is that the openness of the Google platform made it easier to perform static analysis. That, in turn, made it possible to zero in on the apps with SSL implementations that exposed sensitive user data. It would be interesting to see the results of a similar analysis performed on the 13,000 most popular iPhone apps.</i>
> A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.<p>WhatsApp would that be?
From the examples: " A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book."<p>This app is surely WhatsApp. There was a thread in hackernews about it not using SSL.