Publications

2020

Cloudy with a Chance of Misconceptions: Exploring Users' Perceptions and Expectations of Security and Privacy in Cloud Office Suites
Dominik Wermke, Christian Stransky, Nicolas Huaman, Niklas Busch, Yasemin Acar, and Sascha Fahl. Sixteenth Symposium on Usable Privacy and Security, SOUPS 2020, August 12-14, 2020
Website PDF Abstract Cite URL
Poster: Perceptions of Handling Sensitive Data in Cloud Office Applications
Dominik Wermke, Christian Stransky, Nicolas Huaman, Niklas Busch, Alexander Krause, Yasemin Acar, and Sascha Fahl. In 41st IEEE Symposium on Security and Privacy, IEEE S&P 2020, May 18-20, 2020
PDF Abstract Poster Cite URL
Poster: When Brave Hurts Privacy: Why Too Many Choices do More Harm Than Good
Anna Lena Fehlhaber, Marco Gutfleisch, Daniel Theis, Florian Wallkoetter, Yasemin Acar, and Sascha Fahl. In 41st IEEE Symposium on Security and Privacy, IEEE S&P 2020, May 18-20, 2020
Cite URL
Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs
Peter Leo Gorski, Yasemin Acar, Luigi Lo Iacono, and Sascha Fahl. CHI '20: CHI Conference on Human Factors in Computing Systems, Honolulu, HI, USA, April 25-30, 2020
PDF Abstract Cite DOI

2019

"Get a Free Item Pack with Every Activation!"
Karoline Busse, Sabrina Amft, Daniel Hecker, and Emanuel von Zezschwitz. i-com, 18 (3), p. 217-236, 2019.
Preprint Abstract Cite DOI
(Un)informed Consent: Studying GDPR Consent Notices in the Field
Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11-15, 2019
PDF Abstract Cite DOI
Poster: Towards Understanding the WhatsApp Dilemma
Christian Stransky, Dominik Wermke, Johanna Schrader, Nicolas Huaman, Anna Lena Fehlhaber, Yasemin Acar, and Sascha Fahl. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019
Poster Cite URL
Poster: A Large Scale Investigation of Obfuscation Use in Google Play
Dominik Wermke, Nicolas Huaman, Yasemin Acar, Bradley Reaves, Patrick Traynor, and Sascha Fahl. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019
PDF Abstract Poster Cite URL
Poster: Project Leine - A Virtualized Study Infrastructure
Dominik Wermke, Nicolas Huaman, Christian Stransky, Yasemin Acar, and Sascha Fahl. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019
PDF Abstract Poster Cite URL
Replication: Do We Snooze If We Can't Lose? Modelling Risk with Incentives in Habituation User Studies
Karoline Busse, Dominik Wermke, Sabrina Amft, Sascha Fahl, Emanuel von Zezschwitz, and Matthew Smith. Proceedings of the 2019 Workshop on Usable Security (USEC), USEC 2019, San Diego, CA, USA, February 24, 2019
PDF Abstract Cite DOI
Replication: Do We Snooze If We Can't Lose? Modelling Risk with Incentives in Habituation User Studies
Karoline Busse, Dominik Wermke, Sabrina Amft, Sascha Fahl, Emanuel von Zezschwitz, and Matthew Smith. Proceedings of the 2019 Workshop on Usable Security (USEC), USEC 2019, San Diego, CA, USA, February 24, 2019
Cite DOI

2018

A Large Scale Investigation of Obfuscation Use in Google Play
Dominik Wermke, Nicolas Huaman, Yasemin Acar, Bradley Reaves, Patrick Traynor, and Sascha Fahl. Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03-07, 2018
PDF Abstract Cite DOI
Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse
Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes, and Sven Bugiel. 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018.
PDF Abstract Cite URL
Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse
Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, and Sascha Fahl. Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018, Baltimore, MD, USA, August 12-14, 2018.
PDF Abstract Cite URL
Poster: Replication: Do We Snooze If We Can't Lose? Modelling Risk with Incentives in Habituation User Studies
Karoline Busse, Dominik Wermke, Sabrina Amft, Sascha Fahl, Emanuel von Zezschwitz, and Matthew Smith. In Fourteenth Symposium on Usable Privacy and Security, SOUPS 2018, Baltimore, MD, USA, August 12-14, 2018
PDF Abstract Cite URL
Poster: On the Effect of Security Warnings on Cryptographic API Misuse
Peter Leo Gorski, Luigi Lo Iacono, Yasemin Acar, Sebastian Moeller, Christian Stransky, and Sascha Fahl. In 39th IEEE Symposium on Security and Privacy, IEEE S&P 2018, San Francisco, CA, USA, May 21-23, 2018
PDF Abstract Cite URL
The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators
Marten Oltrogge, Erik Derr, Christian Stransky, Yasemin Acar, Sascha Fahl, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel, and Michael Backes. 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA
PDF Abstract Cite DOI
Your Secrets Are Safe: How Browsers' Explanations Impact Misconceptions About Private Browsing Mode
Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, and Blase Ur. Proceedings of the 2018 World Wide Web Conference on World Wide Web, WWW 2018, Lyon, France, April 23-27, 2018
PDF Abstract Cite DOI

2017

A Stitch in Time: Supporting Android Developers in Writing Secure Code
Duc-Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017
PDF Abstract Cite DOI
Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android
Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar, and Michael Backes. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017
PDF Abstract Cite DOI
Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors
Mustafa Emre Acer, Emily Stark, Adrienne Porter Felt, Sascha Fahl, Radhika Bhargava, Bhanu Dev, Matt Braithwaite, Ryan Sleevi, and Parisa Tabriz. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017
PDF Abstract Cite DOI
Developers Need Support, Too: A Survey of Security Advice for Software Developers
Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. IEEE Cybersecurity Development, SecDev 2017, Cambridge, MA, USA, September 24-26, 2017
PDF Abstract Cite DOI
Lessons Learned from Using an Online Platform to Conduct Large-Scale, Online Controlled Security Experiments with Software Developers
Christian Stransky, Yasemin Acar, Duc-Cuong Nguyen, Dominik Wermke, Doowon Kim, Elissa M. Redmiles, Michael Backes, Simson L. Garfinkel, Michelle L. Mazurek, and Sascha Fahl. 10th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2017, Vancouver, BC, Canada, August 14, 2017
PDF Abstract Cite URL
Security Developer Studies with GitHub Users: Exploring a Convenience Sample
Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. Thirteenth Symposium on Usable Privacy and Security, SOUPS 2017, Santa Clara, CA, USA, July 12-14, 2017
PDF Abstract Cite URL
Comparing the Usability of Cryptographic APIs
Yasemin Acar, Michael Backes, Sascha Fahl, Simson L. Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017
PDF Abstract Cite DOI
Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security
Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017
PDF Abstract Cite DOI
How Internet Resources Might Be Helping You Develop Faster but Less Securely
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. IEEE Security & Privacy, 15 (2), p. 50-60, 2017.
PDF Abstract Cite DOI

2016

You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users
Yasemin Acar, Sascha Fahl, and Michelle L. Mazurek. IEEE Cybersecurity Development, SecDev 2016, Boston, MA, USA, November 3-4, 2016
PDF Abstract Cite DOI
An Empirical Study of Textual Key-Fingerprint Representations
Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl, and Matthew Smith. 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016.
Cite URL
SoK: Lessons Learned from Android Security Research for Appified Software Platforms
Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick D. McDaniel, and Matthew Smith. IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016
Cite DOI
You Get Where You're Looking for: The Impact of Information Sources on Code Security
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016
PDF Abstract Cite DOI
Poster: Towards Ecological Validity for Password Alternative User Studies
Yasemin Acar, Michael Backes, Sascha Fahl, Maximilian Koch, and Christian Stransky. In 1st IEEE European Symposium on Security and Privacy, IEEE EuroS&P 2016, Saarbrücken, Germany, March 21-24, 2016
Cite URL
Poster: When Laziness Snaps Back – The Impact of Code Generators on App (In)Security
Yasemin Acar, Michael Backes, Sascha Fahl, and Christian Stransky. In 1st IEEE European Symposium on Security and Privacy, IEEE EuroS&P 2016, Saarbrücken, Germany, March 21-24, 2016
Cite URL

2015

VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits
Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, and Yasemin Acar. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015
Cite DOI
To Pin or Not to Pin-Helping App Developers Bullet Proof Their TLS Connections
Marten Oltrogge, Yasemin Acar, Sergej Dechand, Matthew Smith, and Sascha Fahl. 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015.
Cite URL
SoK: Secure Messaging
Nik Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, and Matthew Smith. 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015
Cite DOI

2014

Hey, NSA: Stay Away from my Market! Future Proofing App Markets against Powerful Attackers
Sascha Fahl, Sergej Dechand, Henning Perl, Felix Fischer, Jaromir Smrcek, and Matthew Smith. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014
Cite DOI
Who's Afraid of Which Bad Wolf? A Survey of IT Security Risk Awareness
Marian Harbach, Sascha Fahl, and Matthew Smith. IEEE 27th Computer Security Foundations Symposium, CSF 2014, Vienna, Austria, 19-22 July, 2014
Cite DOI
Why eve and mallory (also) love webmasters: a study on the root causes of SSL misconfigurations
Sascha Fahl, Yasemin Acar, Henning Perl, and Matthew Smith. 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '14, Kyoto, Japan - June 03 - 06, 2014
Cite DOI
You Won't Be Needing These Any More: On Removing Unused Certificates from Trust Stores
Henning Perl, Sascha Fahl, and Matthew Smith. Financial Cryptography and Data Security - 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers
Cite DOI

2013

Rethinking SSL development in an appified world
Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4-8, 2013
Cite DOI
On the Acceptance of Privacy-Preserving Authentication Technology: The Curious Case of National Identity Cards
Marian Harbach, Sascha Fahl, Matthias Rieger, and Matthew Smith. Privacy Enhancing Technologies - 13th International Symposium, PETS 2013, Bloomington, IN, USA, July 10-12, 2013. Proceedings
Cite DOI
On the ecological validity of a password study
Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. Symposium On Usable Privacy and Security, SOUPS '13, Newcastle, United Kingdom, July 24-26, 2013
Cite DOI
Hey, You, Get Off of My Clipboard - On How Usability Trumps Security in Android Password Managers
Sascha Fahl, Marian Harbach, Marten Oltrogge, Thomas Muders, and Matthew Smith. Financial Cryptography and Data Security - 17th International Conference, FC 2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers
Cite DOI
Sorry, I Don't Get It: An Analysis of Warning Message Texts
Marian Harbach, Sascha Fahl, Polina Yakovleva, and Matthew Smith. Financial Cryptography and Data Security - FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, April 1, 2013, Revised Selected Papers
Cite DOI

2012

Towards measuring warning readability
Marian Harbach, Sascha Fahl, Thomas Muders, and Matthew Smith. the ACM Conference on Computer and Communications Security, CCS'12, Raleigh, NC, USA, October 16-18, 2012
Cite DOI
Why eve and mallory love android: an analysis of android SSL (in)security
Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, and Bernd Freisleben. the ACM Conference on Computer and Communications Security, CCS'12, Raleigh, NC, USA, October 16-18, 2012
Cite DOI
Helping Johnny 2.0 to encrypt his Facebook conversations
Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, and Uwe Sander. Symposium On Usable Privacy and Security, SOUPS '12, Washington, DC, USA - July 11 - 13, 2012
Cite DOI
Towards privacy-preserving access control with hidden policies, hidden credentials and hidden decisions
Marian Harbach, Sascha Fahl, Michael Brenner, Thomas Muders, and Matthew Smith. Tenth Annual International Conference on Privacy, Security and Trust, PST 2012, Paris, France, July 16-18, 2012
Cite DOI
Confidentiality as a Service - Usable Security for the Cloud
Sascha Fahl, Marian Harbach, Thomas Muders, and Matthew Smith. 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2012, Liverpool, United Kingdom, June 25-27, 2012
Cite DOI
Human-centric visual access control for clinical data management
Sascha Fahl, Marian Harbach, and Matthew Smith. 6th IEEE International Conference on Digital Ecosystems and Technologies, DEST 2012, Campione d'Italia, Italy, June 18-20, 2012
Cite DOI
TrustSplit: usable confidentiality for social network messaging
Sascha Fahl, Marian Harbach, Thomas Muders, and Matthew Smith. 23rd ACM Conference on Hypertext and Social Media, HT '12, Milwaukee, WI, USA, June 25-28, 2012
Cite DOI
All our messages are belong to us: usable confidentiality in social networks
Marian Harbach, Sascha Fahl, Thomas Muders, and Matthew Smith. Proceedings of the 21st World Wide Web Conference, WWW 2012, Lyon, France, April 16-20, 2012 (Companion Volume)
Cite DOI

2011

TrustBox: A Security Architecture for Preventing Data Breaches
Matthias Schmidt, Sascha Fahl, Roland Schwarzkopf, and Bernd Freisleben. Proceedings of the 19th International Euromicro Conference on Parallel, Distributed and Network-based Processing, PDP 2011, Ayia Napa, Cyprus, 9-11 February 2011
Cite DOI