No, it's for real, not just scare tactics. A lot of it is just the nature of public WiFi, where anything like a login or password that gets passed in the clear can be intercepted. If you're logging onto https (secure) sites, then it's not a problem. Except in the case of the Google tokens, the tokens are sent in the clear even when accessing secure sites, so that's the problem.
Eavesdroppers can intercept and use authentication tokens sent between Android apps and Google services via unsecured Wi-Fi. Those tokens, which aren't tied to specific devices or sessions, can be used to peek at and tweak a user's email, contacts, and calendar. Devices running Android 2.3.3 or earlier (which accounts for the vast majority of phones) are most vulnerable. On Android 2.3.4 and later, Calendar and Contacts use a secure HTTPS connection, though the Gallery app which syncs with Picasa online Web albums does not. More important, the vulnerability is not limited to standard Android apps, as any Android or desktop app that accesses Google services via ClientLogin over HTTP is vulnerable.
Here's the article which details the discovery, and another
article from InfoWorld that's worth the read.
Until the fixes are out and/or you upgrade to Android 2.3.4, don't set the phone to automatically connect to open WiFi hotspots, and instead manually connect and then remember those you trust. You gotta be careful when accessing an open WiFi, because anyone can name their hotspot anything they want, like some goober sitting in the parking lot at Starbucks with a hotspot named "Starbucks Free WiFi" or something, and then scooping up all the data of those who ignorantly connect to the net through his AP.
