Many of the early posts seem to misunderstand the vulnerability issue here.
This is not about your phone getting infected with malware that allows it to detect your PC keyboard typing.
This is about me putting the vibration-detection app on my own phone, and then going to someone else's desk and recording them logging in.
So, imagine me going to my local AT&T store, bank, or my boss's computer, and casually setting my phone down while they log in to check my account or whatever.
Granted, some of those systems will require more than just a password (I might need their username, or the URL to log in, or perhaps their firewall only accepts certain IPs), but it's still a considerable weakness if this application is reliable and gets out in the open.
I can imagine keyboards that are "vibration silent" or special "vibration absorption" pads that will prevent this from happening. Either that, or customer service reps will start saying "Please remove your phone from my desk while I access your account."