For a project at university I have done research about all kinds of security issues, especially privacy-related ones, that have come up on mobile OS and applications over the last few years.
One of the most infamous breaches I read about seems to be the same-origin policy (SOP) vulnerability that was discovered in Android's stock browser (AOSP) last year. The more I read about this attack though, the more it seems to me that the media have just greatly exaggerated the severity of this issue, since the actual attack vector seems to be quite small to me - at least from a privacy point of view. To sum up what I have found out:
There is an HTTP header field called 'Cross-Frame-Options' which prevents exactly this kind of attack because you can't even open the page in question within an iframe. Judging from some internet research and practical tests, most web frameworks set this header at least to 'same origin' by default, let alone big privacy-critical pages like social networks, online banking services and so on.
If you MITM'ed the connection and you were able to strip the XFO header, that would imply that the communication between victim and server was unencrypted and you could just steal session cookies or document data directly anyway.
I also had the idea to strip an insecure page of the XFO header, then open it within an iframe (say http://amazon.com), then pass the value of the document.cookie field from JS to the outside, since it could theoretically also contain secure cookies. Turns out, there is the 'httpOnly' property for cookies, which prevents exactly this kind of abuse ...
Now I know that there are probably hundreds of thousands of smaller sites that don't implement all of the above security measures or do it incorrectly, but articles like the one I linked (and dozens of others) clearly state that one could read emails from GMail or hijack Facebook sessions with this vulnerability present. Am I correct in assuming that the journalists who wrote these articles just didn't think the whole thing through, or am I actually missing some critical piece of information?