Could Air lack security substance?

I like the idea of Rich Internet Applications (RIAs). As such, I think Adobe Air could be truly great as a way of bringing together the idea of web-based server computing with the rich UI of the PC graphical user interface.

I am concerned, however.

RIAs allow access to the client device in a way that would be near impossible with browser-based computing.

So when Adobe told me about Air and its rich Internet runtime environment, I could see the potential. I could also see a big problem…

RIAs can write to the hard disc and networks of a client device. This means they could be used to corrupt a PC if someone wrote a rogue RIA.

Adobe’s answer is signed applications. An application needs a certificate before it’ll run. This is great but could restrict the adoption of Air as an Internet format. So Adobe allows developers to self-sign, in other words, anyone is able to produce an application and make sure it gets a valid certificate. The end user is warned to check the certificate and allowed to download and run the Air application.

Now we are all aware of how stupid some end users can be. So doesn’t Adobe’s approach seem a tad irresponsible? Haven’t we learned anything about the level of deceit that is possible today from even a basic phishing attack? End users don’t think logically, they will download anything they find remotely interesting.