A first application demonstrating the technology has just been released for the iPad2. The technology should be available on other devices with similar computational power soon."
Link to Original Source
As part of the attack, the anonymous researchers obtained a signature certificate from VeriSign for a company named Apple Computer
You have to fool VeriSign first, just like any other SSL man-in-the-middle attack, so I guess it depends on what you call easy.
Actually, as stated in the original blog post liked from the article, it was a demo signature certificate for a person named "Apple Computer". Such certificates are offered by VeriSign without validation. The problem is that the iPhone trusts such certificates, and that it doesn't make it clear that it isn't a validated organization name it publishes.
The reason for the dialog you get when launching a downloaded application for the first time is to counter an otherwise existing flaw where an application could be disguised a document.
The key part of the dialog message is not that the file was downloaded from "the Internet", but rather the fact that the file is "an application".
You're already carrying the sphere!