I brought this up when it was implemented, i even believe the alert systems on all coin clients are a vector of some sort. But when you truly understand how it works its no more of a threat then the developers becoming dishonest and inserting nefarious code in the binaries and source code.

The problem is, a human has control of all of those things. Thats something we still cant quite get away from just yet. Because we still need humans to create binaries for users who cant make their own and who cant read code. Just because its from an official source does not mean one day, one of those binaries wont have bad code in them. Thus potentially making even the official source a potent attack vector, clearly its the most probable. To be honest i think both alert systems and feeds of any sort should be done away with in these clients.

To answer your question though, both systems (alert and news) require security keys.