I'd be curious to see what information is transferred by Android phones that is not through SSL. Given all the apps out there that have access to your personal data and could be transmitting whoknowswhat through non-ssl requests, probably enough ways to mess with someone.

Imagine using a pineapple http://wifipineapple.com/ and sitting in a coffee shop with your laptop out messing with people's insecure traffic! The ramifications of such could be quite potent given any chance that an insecure app could allow insertion of basically any content into a http request.

This is why you secure your damn wifi. Even if the password and user are on the wall, the traffic is still encrypted!

If you are in a coffeshop you too will likely have the passphrase to the WiFi, then you can still intercept traffic of your unsuspecting users, ARP poisoning and whatnot.

So just because its WPA2 doesnt make it magically safe from tampering.

And usually a coffeshop that has WPA2 will still have admin/admin as their router credentials, if you are lucky they have Linux and from there you have # and can use iptables to divert traffic to your device as you wish.

Fortunately there are a few projects out there that will let you wrap up a pretty decent radius+WPA2-enterprise setup -- but even with that ease-of-use -- the things that can go wrong to take down the network sky-rockets, and few coffee shops etc will be deploying it (too much hassle/too much time/too little awareness).

I believe there is ample opportunity to sell a "secure wifi box" with some kind of fanless linux/*bsd-box with a (more) secure access point in it than what most ISPs currently deliver. Throw in a caching, ad-blocking proxy... (Alternative business plan: give the boxes away, sell ads based on location -- (re)placing ads in web content...).