Publications
2025
Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security
Jan-Ulrich Holtgrave, Kay Friedrich, Fabian Fischer, Nicolas Huaman, Niklas Busch, Jan Klemmer, Marcel Fourné, Oliver Wiese, Dominik Wermke, Sascha Fahl
Network and Distributed System Security Symposium - NDSS'25
“I’m pretty expert and I still screw it up”: Qualitative Insights into Experiences and Challenges of Designing and Implementing Cryptographic Library APIs
Juliane Schmüser, Philip Klostermeyer, Kay Friedrich, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'25
Transparency in Usable Privacy and Security Research: Scholars’ Perspectives, Practices, and Recommendations
Jan Klemmer, Juliane Schmüser, Byron M. Lowens, Fabian Fischer, Lea Schmüser, Florian Schaub, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'25
“It’s time. Time for digital security.”: An End User Study on Actionable Security and Privacy Advice
Anna Lena Rotthaler, Harshini Sri Ramulu, Lucy Simko, Sascha Fahl, Yasemin Acar
IEEE Symposium on Security and Privacy - Oakland'25
“It’s Not My Data Anymore”: Exploring Non-Users’ Privacy Perceptions of Medical Data Donation Apps
Sarah Abdelwahab Gaballah, Lamya Abdullah, Ephraim Zimmer, Sascha Fahl, Max Mühlhäuser, Karola Marky
Privacy Enhancing Technologies Symposium 2025 - PETS'25
2024
Skipping the Security Side Quests: A Qualitative Study on Security Practices and Challenges in Game Development
Philip Klostermeyer, Sabrina Amft, Sandra Höltervennhoff, Alexander Krause , Niklas Busch, Sascha Fahl
ACM Conference on Computer and Communications Security - CCS'24
Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns
Jan Klemmer, Stefan Albert Horstmann, Nikhil Patnaik, Cordelia Ludden, Cordell Burton Jr, Carson Powers, Fabio Massacci, Akond Rahman, Daniel Votipka, Heather Richter Lipford, Awais Rashid, Alena Naiakshina, Sascha Fahl
ACM Conference on Computer and Communications Security - CCS'24
Passwords To-Go: Investigating Multifaceted Challenges for Password Managers in the Android Ecosystem
Nicolas Huaman, Marten Oltrogge, Sabrina Amft, Yannik Evers, Sascha Fahl
Proceedings of the 2024 Annual Computer Security Applications Conference - ACSAC'24
Adoption Challenges for Cryptographic Protocols
Konstantin Fischer, Ivana Trummová, Philip Gajland, Yasemin Acar, Sascha Fahl, Angela Sasse
IEEE Security and Privacy Magazine 2024
“You have to read 50 different RFCs that contradict each other”: An Interview Study on the Experiences of Implementing Cryptographic Standards
Nicolas Huaman, Jacques Suray, Jan Klemmer, Marcel Fourné, Sabrina Amft, Ivana Trummová, Yasemin Acar, Sascha Fahl
USENIX Security Symposium - SEC'24
Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors
Sabrina Amft, Sandra Höltervennhoff, Rebecca Panskus, Karola Marky, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'24
A Mixed-Methods Study on User Experiences and Challenges of Recovery Codes for an End-to-End Encrypted Service
Sandra Höltervennhoff, Marten Oltrogge, Oliver Wiese, Noah Woehler, Yasemin Acar, Sascha Fahl
USENIX Security Symposium - SEC'24
Analyzing Security and Privacy Advice During the 2022 Russian Invasion of Ukraine on Twitter
Juliane Schmüser, Harshini Sri Ramulu, Noah Woehler, Christian Stransky, Felix Bensmann, Dimitar Dimitrov, Sebastian Schellhammer, Dominik Wermke, Stefan Dietze, Yasemin Acar, Sascha Fahl
ACM CHI Conference on Human Factors in Computing Systems - CHI'24
Mental Models, Expectations and Implications of Client-Side Scanning: An Interview Study with Experts
Divyanshu Bhardwaj, Carolyn Guthoff, Adrian Dabrowski, Sascha Fahl, Katharina Krombholz
ACM CHI Conference on Human Factors in Computing Systems - CHI'24
On The Challenges of Bringing Cryptography from Papers to Products: Results from an Interview Study with Experts (Extended Version)
Konstantin Fischer, Ivana Trummová, Phillip Gajland, Yasemin Acar, Sascha Fahl, Angela Sasse
USENIX Security Symposium - SEC'24
2023
“We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments
Sabrina Amft, Sandra Höltervennhoff, Nicolas Huaman, Alexander Krause , Lucy Simko, Yasemin Acar, Sascha Fahl
ACM Conference on Computer and Communications Security - CCS'23
“Make Them Change it Every Week!”: A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication
Jan Klemmer, Marco Gutfleisch, Christian Stransky, Yasemin Acar, Angela Sasse, Sascha Fahl
ACM Conference on Computer and Communications Security - CCS'23
“Privacy Mental Models of Electronic Health Records: A German Case Study
Rebecca Panskus, Sascha Fahl, Max Ninow, Karola Marky
Symposium on Usable Privacy and Security - SOUPS'23
Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories
Alexander Krause , Jan Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, Sascha Fahl
USENIX Security Symposium - SEC'23
“I wouldn’t want my unsafe code to run my pacemaker”: An Interview Study on the Use, Comprehension, and Perceived Risks of Unsafe Rust
Sandra Höltervennhoff, Philip Klostermeyer, Noah Woehler, Yasemin Acar, Sascha Fahl
USENIX Security Symposium - SEC'23
“Would You Give the Same Priority to the Bank and a Game? I Do Not!” - Exploring Credential Management Strategies and Obstacles during Password Manager Setup
Sabrina Amft, Sandra Höltervennhoff, Nicolas Huaman, Yasemin Acar, Sascha Fahl
Symposium on Usable Privacy and Security - SOUPS'23
“Always Contribute Back”: A Qualitative Study on Security Challenges of the Open Source Supply Chain
Dominik Wermke, Jan Klemmer, Noah Woehler, Juliane Schmüser, Harshini Sri Ramulu, Yasemin Acar, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'23
“It’s like flossing your teeth”: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security
Marcel Fourné, Dominik Wermke, , William Enck, Sascha Fahl, Yasemin Acar
IEEE Symposium on Security and Privacy - Oakland'23
“Security is not my field, I’m a stats guy”: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry
Jaron Mink, Harjot Kaur , Juliane Schmüser, Sascha Fahl, Yasemin Acar
USENIX Security Symposium - SEC'23
Privacy Rarely Considered: Exploring Considerations in the Adoption of Third-Party Services by Websites
Christine Utz, Sabrina Amft, Martin Degeling, Sascha Fahl, Florian Schaub, Thorsten Holz
Privacy Enhancing Technologies Symposium 2023 - PETS'23
2022
If You Can’t Get Them to the Lab: Evaluating a Virtual Study Environment with Security Information Workers
Nicolas Huaman, Alexander Krause , Dominik Wermke, Christian Stransky, Jan Klemmer, Yasemin Acar, Sascha Fahl
Symposium on Usable Privacy and Security - SOUPS'22
Where to Recruit for Security Development Studies from: Comparing Six Software Developer Samples
Harjot Kaur , Sabrina Amft, Daniel Votipka, Yasemin Acar, Sascha Fahl
USENIX Security Symposium - SEC'22
Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects
Dominik Wermke, Noah Woehler, Jan Klemmer, Marcel Fourné, Yasemin Acar, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'22
27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University
Christian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'22
How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study
Marco Gutfleisch, Jan Klemmer, Niklas Busch, Yasemin Acar, Angela Sasse, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'22
2021
On the Limited Impact of Visualizing Encryption: Perceptions of E2E Messaging Security
Christian Stransky, Dominik Wermke, Johanna Schrader, Nicolas Huaman, Yasemin Acar, Anna Lena Fehlhaber, Miranda Wei, Blase Ur, Sascha Fahl
Symposium on Usable Privacy and Security - SOUPS'21
Never ever or no matter what: Investigating Adoption Intentions and Misconceptions about the Corona-Warn-App in Germany
Maximilian Häring, Eva Gerlitz, Christian Tiefenau, Matthew Smith, Dominik Wermke, Sascha Fahl, Yasemin Acar
Symposium on Usable Privacy and Security - SOUPS'21
They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites
Nicolas Huaman, Sabrina Amft, Marten Oltrogge, Yasemin Acar, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'21
A Large-Scale Interview Study on Information Security in and Attacks against Small and Medium-sized Enterprises
Nicolas Huaman, Bennet von Skarczinski, Christian Stransky, Dominik Wermke, Yasemin Acar, Arne Dreißigacker, Sascha Fahl
USENIX Security Symposium - SEC'21
Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications
Marten Oltrogge, Nicolas Huaman, Sabrina Amft, Yasemin Acar, Michael Backes, Sascha Fahl
USENIX Security Symposium - SEC'21
2020
Cloudy with a Chance of Misconceptions: Exploring Users’ Perceptions and Expectations of Security and Privacy in Cloud Office Suites
Dominik Wermke, Christian Stransky, Nicolas Huaman, Niklas Busch, Yasemin Acar, Sascha Fahl
Symposium on Usable Privacy and Security - SOUPS'20
From Needs to Actions to Secure Apps? The Effect of Requirements and Developer Practices on App Security
Charles Weir, Ben Hermann, Sascha Fahl
USENIX Security Symposium - SEC'20
Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs
Peter Leo Gorski, Yasemin Acar, Luigi Lo Iacono, Sascha Fahl
ACM CHI Conference on Human Factors in Computing Systems - CHI'20
2019
(Un)informed Consent: Studying GDPR Consent Notices in the Field
Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, Thorsten Holz
ACM Conference on Computer and Communications Security - CCS'19
Do We Snooze If We Can’t Lose? Modelling Risk with Incentives in Habituation User Studies
Karoline Busse, Dominik Wermke, Sabrina Amft, Sascha Fahl, Emanuel von Zezschwitz, Matthew Smith
Proceedings USEC 2019 - USEC'19
2018
A Large Scale Investigation of Obfuscation Use in Google Play
Dominik Wermke, Nicolas Huaman, Yasemin Acar, Brad Reaves, Patrick Traynor, Sascha Fahl
Proceedings of the 2018 Annual Computer Security Applications Conference - ACSAC'18
Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse
Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes, Sven Bugiel
USENIX Security Symposium - SEC'18
Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse
Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, Sascha Fahl
Symposium on Usable Privacy and Security - SOUPS'18
Your Secrets Are Safe: How Browsers’ Explanations Impact Misconceptions About Private Browsing Mode
Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, Blase Ur
The Web Conference 2018 - WWW'18
The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators
Marten Oltrogge, Erik Derr, Christian Stransky, Sven Bugiel, Giancarlo Pellegrino, Christian Rossow, Sascha Fahl, Yasemin Acar, Michael Backes
IEEE Symposium on Security and Privacy - Oakland'18
2017
Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors
Mustafa Emre Acer, Emily Stark, Adrienne Porter Felt, Sascha Fahl, Radhika Bhargava, Bhanu Dev, Matt Braithwaite, Ryan Sleevi, Parisa Tabriz
ACM Conference on Computer and Communications Security - CCS'17
A Stitch in Time: Supporting Android Developers in Writing Secure Code
Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, Sascha Fahl
ACM Conference on Computer and Communications Security - CCS'17
Keep me updated: An Empirical Study of Third-Party Library Updatability on Android
Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar, Michael Backes
ACM Conference on Computer and Communications Security - CCS'17
Developers Need Support, Too: A Survey of Security Advice for Software Developers
Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle Mazurek, Sascha Fahl
IEEE Secure Development Conference - SecDev'17
Lessons Learned from Using an Online Platform to Conduct Large-Scale, Online Controlled Security Experiments with Software Developers
Christian Stransky, Yasemin Acar, Duc Cuong Nguyen, Dominik Wermke, Elissa M. Redmiles, Doowon Kim, Michael Backes, Simson Garfinkel, Michelle Mazurek, Sascha Fahl
USENIX Workshop on Cyber Security Experimentation and Test - CSET'17
Security Developer Studies with GitHub Users: Exploring a Convenience Sample
Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle Mazurek, Sascha Fahl
Symposium on Usable Privacy and Security - SOUPS'17
Comparing the Usability of Cryptographic APIs
Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle Mazurek, Christian Stransky
IEEE Symposium on Security and Privacy - Oakland'17
Stack Overflow Considered Harmful? The Impact of Copy & Paste on Android Application Security
Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, Sascha Fahl
IEEE Symposium on Security and Privacy - Oakland'17
How Internet Resources Might Be Helping You Develop Faster but Less Securely
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle Mazurek, Christian Stransky
IEEE Security and Privacy Magazine 2017
2016
You Are Not Your Developer, Either: A Research Agenda For Usable Security and Privacy Research Beyond End Users
Yasemin Acar, Sascha Fahl, Michelle Mazurek
IEEE Secure Development Conference - SecDev'16
An Empirical Study of Textual Key-Fingerprint Representations
Sergej Dechand, Dominik Schürmann, Karoline Busse, Yasemin Acar, Sascha Fahl, Matthew Smith
USENIX Security Symposium - SEC'16
You Get Where You’re Looking For - The Impact of Information Sources on Code Security
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle Mazurek, Christian Stransky
IEEE Symposium on Security and Privacy - Oakland'16
SoK: Lessons Learned From Android Security Research For Appified Software Platforms
Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick McDaniel, Matthew Smith
IEEE Symposium on Security and Privacy - Oakland'16
2015
To Pin or Not to Pin - Helping App Developers To Bulletproof Their TLS Connections
Marten Oltrogge, Yasemin Acar, Sergej Dechand, Matthew Smith, Sascha Fahl
USENIX Security Symposium - SEC'15
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits
Henning Perl, Daniel Arp, Sergej Dechand, Sascha Fahl, Yasemin Acar, Fabian Yamaguchi, Konrad Rieck, Matthew Smith
ACM Conference on Computer and Communications Security - CCS'15
SoK: Secure Messaging
Nick Unger, Sergej Dechand, Joseph Bonneau, Sascha Fahl, Henning Perl, Ian Goldberg, Matthew Smith
IEEE Symposium on Security and Privacy - Oakland'15
2014
Who’s Afraid of Which Bad Wolf? A Survey of IT Security Risk Awareness
Marian Harbach, Sascha Fahl, Matthew Smith
Computer Security Foundations Symposium - CSF'14
Why Eve and Mallory (Also) Love Webmasters: A Study on the Root Causes of SSL Misconfigurations
Sascha Fahl, Yasemin Acar, Henning Perl, Matthew Smith
ACM Symposium on Information, Computer and Communications Security - AsiaCCS'14
Hey, NSA: Stay Away from my Market! Future Proofing App Markets Against Powerful Attackers
Sascha Fahl, Sergej Dechand, Henning Perl, Felix Fischer, Jaromir Smrceck, Matthew Smith
ACM Conference on Computer and Communications Security - CCS'14
You Won’t Be Needing These Any More: On Removing Unused Certificates From Trust Stores
Henning Perl, Sascha Fahl, Matthew Smith
Conference on Financial Cryptography and Data Security - FC'14
2013
Rethinking SSL Development in an Appified World
Sascha Fahl, Marian Harbach, Henning Perl, Markus Kötter, Matthew Smith
ACM Conference on Computer and Communications Security - CCS'13
Hey, You, Get Off of My Clipboard - On How Usability Trumps Security in Android Password Managers
Sascha Fahl, Marian Harbach, Marten Oltrogge, Thomas Muders, Matthew Smith
Conference on Financial Cryptography and Data Security - FC'13
On the Acceptance of Privacy-Preserving Authentication Technology: The Curious Case of National Identity Cards
Marian Harbach, Sascha Fahl, Matthias Rieger, Matthew Smith
Privacy Enhancing Technologies Symposium - PETS'13
On The Ecological Validity of a Password Study
Sascha Fahl, Marian Harbach, Yasemin Acar, Matthew Smith
Symposium on Usable Privacy and Security - SOUPS'13
2012
Why Eve and Mallory Love Android: An Analysis of SSL (In)Security
Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, Matthew Smith
ACM Conference on Computer and Communications Security - CCS'12
Helping Johnny 2.0 to Encrypt His Facebook Conversations
Sascha Fahl, Marian Harbach, Thomas Muders, Uwe Sanders, Matthew Smith
Symposium on Usable Privacy and Security - SOUPS'12