I don't think the issue here is the HTTP redirect. The issue is trusting WiFi networks you meet in the wild since for this attack to be successful (as described in the article), the network needs to be compromised/owned by the attackers with either a gateway/proxy or some DNS hijacking to redirect the HTTP requests.
I always VPN my phone traffic through my home network, anyone (esp. tech types) who trust 3rd party apps to only transmit auth tokens securely has a lot more faith in the developers than I do.
I'm curious to know if the Apache HTTP client used on Android blindly follows redirects as default, you can setup handlers to intercept and verify the redirect, but I'm not sure on default behaviour.
I think the moral of this story is don't trust any network that's not yours, and even then, exercise caution.