In short, Craig Young, a researcher at security firm Tripwire, built an app that can steal weblogin tokens and pass them off to another server. Once there, they can be used in a non-Android browser to log in to users’ Google accounts without the actual passwords.
Gmail, Google Drive, Google Calendar can all be accessed with these weblogin tokens, for regular Gmail users as well as Google Apps customers.
The app apparently went up (is up?) for download. Hackett argues that at the very least Google needs to begin looking through the apps for security issues to protect users, while still allowing crazy apps through if they pass the security test, but if Google pulled all the insecure apps, what apps would be left?