Results captured on an LG Optimus V (VM670), Android 2.2.1, stock, rooted, purchased in March 2011.
As of today, the only unencrypted requests I could find in a pcap taken during a complete resync were:
Picasa Web Albums
GET /data/feed/api/user/<username>?imgmax=1024&max-results=1000&thumbsize=144u,1024u &visibility=visible&kind=album HTTP/1.1 GData-Version: 2 Accept-Encoding: gzip Authorization: GoogleLogin auth=<snipped> If-None-Match: <snipped; don't know if it's sensitive info> Host: picasaweb.google.com Connection: Keep-Alive User-Agent: Cooliris-GData/1.0; gzip
Picasa was the only service I could find being synced unencrypted. Facebook requested a couple profile images (but didn't pass any account info); Skype requested ads; and TooYoou grabbed a new banner image. None of those relate to sync, really.
So it looks like Google's syncing security has been tightened quite a bit. Turn off syncing Picasa Web Albums and all of your Google data should be synced in encrypted form.
This bothered me a little:
GET /market/download/Download?userId=<snipped>&deviceId=<snipped> &downloadId=-4466427529916183822&assetId=2535581388071814327 HTTP/1.1 Cookie: MarketDA=<snipped> Host: android.clients.google.com Connection: Keep-Alive User-Agent: AndroidDownloadManager
The return of this is a 302 Moved Temporarily that points to a highly complex download URL:
HTTP/1.1 302 Moved Temporarily Cache-control: no-cache Location: http://o-o.preferred.iad09g05.v5.lscache6.c.android.clients.google.com /market/GetBinary/com.wemobs.android.diskspace/1?expire=1322383029&ipbits=0 &ip=0.0.0.0&sparams=expire,ipbits,ip,q:,oc:<snipped> &signature=<snipped>.<snipped>&key=am2 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Date: Fri, 25 Nov 2011 08:37:09 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Transfer-Encoding: chunked
Android's download manager turns right around and requests that download location, passing the
MarketDA cookie again.
I don't know if there's any security danger from how Market downloads APKs. The worst I can imagine is that unencrypted APK downloads open up the possibility of interception & replacement with a malicious package, but I'm sure Android has signature checks to prevent that.