On Wednesday I received this eMail from Android Market team:
This is a notification that the application, DroidSheep [ROOT REQUIRED] with package ID de.trier.infsec.koch.droidsheep has been removed from Android Market due to a violation of the Developer Content Policy. Please review the Content Policies and Business and Program Policies before you create or upload additional applications. Note that repeated violations may result in a suspension of your Android Market Publisher account.
For more information, or to contact us, please reply to this email, or visit the Android Market Help Center.
Thanks,
The Android Market Team
So damn! DroidSheep had more than 17.000 users till then - why did they take more than six weeks to find out DroidSheep does “not comply to their Policies”??
I responded to their mail and asked them for some more explaination. DroidSheep was not made as an malicious software!
It does neither use an programming issue/exploit, nor does is unencrypt anything by doing an attack.
So in my opinion, the main thing is to show the users how easy it can be to steal their identities! I read a lot of very surprised comments, and people realizing how dangerous public WiFi can be.
Maybe they respond to my mail, though I do not think they will change anything on their behaviour… 
This was what I wrote them:
Dear Android Market Team,
yesterday, my App “DroidSheep” has been removed from Android Market. You claimed it violates the Developer Content Policy.
So in reponse to your removal, I read the policies very carefully and I can imagine you treat DroidSheep as “malicious software”.
In my opinion (and in the opinion of most people talking about DroidSheep) this is not justified because:- DroidSheep is a research project and does not intend to harm any person or its data. The main and only intention of DroidSheep is to make the Web more secure. There are very poor security properties on most websites, especially on big webservices like FaceBook, Yahoo, ebay, … - they deal with millions of users´ data and do enforce them to send this data via unencrypted and plain text channels - and nobody knows that. (Even the FB Android app sends the session cookies unencrypted!!!).
I think, as a developer it is my duty to help people to gain knowledge of this. Most people are not aware of the fact what happens to their data and are shocked, when they see what is possible. This pressure (or the one generated by “FireSheep”) was the only reason for FB to implement SSL (opt on) for their web service. SO PUBLIC PRESSURE WAS SUCCESSFUL!
DroidSheep does neither unencrypt any data by exploiting any issues, nor does it show any passwords or uses SSL stripping. It uses the unencrypted data on the air. DroidSheep will never use any exploits.
- Users should have the possibility to find out, how easy it can be to hijack their own account by trying it themselves. There are only two commands to execute in order to do DroidSheep´s work by hand - so it is not harder than using DroidSheep - but the technical barrier prevents most people to try it - and therefor they never find out how unprotected their data is.
If you read market comments, there are lots of people who learned about security issues and do not use public wifi from now - THIS IS A GREAT SUCCESS of my work.DroidSheep is also free, open source (hosted on googlecode) and tries to help people to secure themselves (see www.droidsheep.de).
So I would greatly appreciate, if you consider readding DroidSheep to AndroidMarket in order to make internet more secure.Just as a note - Google is one of the few companies, which state a very good example in how easy security can be gained. This Article shows, how easy and low cost switching to SSL can be - and there really is now barrier to implement SSL. (http://techie-buzz.com/tech-news/google-switch-ssl-cost.html)
So if you do not think, DroidSheep can be on the Android Market, please tell me if there is any possibility to change DroidSheeps functionalities to comply with Market ToS in order to make internet more secure and tell people to care for privacy.
Thanks,
Andreas Koch
Andreas
HG Team second you! we believe Android team misjudged the tool and didn’t properly evaluate the tool, removed it from the repository.
BTW, we thought you are aware of this removal and we published a detail review on DroidSheep with complete tutorial to install it with out Android Market.
Those who are unable to install Android Market can follow this short tutorial;
How to install DriodSheep on Android without Andriod Market
Don’t worry, we will still provide your software on Polish websites. PL version, that I provided has more than 2000 downloads (on just 2 forums)
Hey,
why do i have to grant access to “my messages / Gmail” when i try to install Droidsheep?
see FAQ: It´s for “send cookies via email”.
Bad news .. Erfolg mit dem Projekt: D
I tested Droidsheep on my android phone and picked up accounts from computers and iphones. I got into the accounts no problem do they mustn’t use ssl. Pretty scary stuff. Think - do you access free wifi at uni, work or somewhere like mcdonalds. Who could be watching your account. They don’t just hijack facebook either. There are numerous types of accounts.
Actually you know what I would have said to them in your reply about DroidSheep helping people find out how easy it is to steal an identity and is not meant for malicous use. I would have said that the google search engine is there to openly provide information to people for entertainment and research. However there are things called “google Dorks” that allow people to find vulnerable sites using specific search terms and then attack them (eg password files of some sites etc).
Does that mean that google is in violation of their own terms of service agreement by providing a service and a small select few using it for illegal purposes. I could go on all night about how they enable criminals. But I think I made my point.