So what's the exploit here? Is it a bug in the cards or the protocol or what? Or is the card info considered "public" by the protocol (i.e. I could imagine an authentication scheme where the card could provide its number but the bank would only honor charges via the secure contactless scheme which came with a RSA cookie or whatenot).
Sorry.. Am calling BS on this... To read any protected memory regions on an NFC card a fairly complicated handshake has to occur with various exchanges of keys - you can't just read details with your average NFC reader in an Android phone using an app that doesn't even require root...
The app is designed to be used with the German GeldKarte which appears to use an old NFC technology. It isn't a credit card, you have to load cash onto it before you can spend it, and doesn't use the same security as modern contactless bank cards.
Also it appears this isn't the first app to do this:
Not exactly BS - it depends on the cards. In the UK this has been demonstrated to work on Visa cards from a few different banks. I did a quick demo for Channel 4 News at their request a little while ago, video:
Also did one in a crowded lift for BBC Watchdog and live on This Morning breakfast show. It is pretty old news (as in years old) and is not exactly an effective way to lift lots of details. But makes a cute demo.
Along these lines - are there any good 'hacker' tools out there for the various phone platforms? I know there are port scanners and some other things out there but is this a well-developed space?
On Android, apart from being able to run Backtrack on certain Android devices you have tools to MITM WiFi and other fun stuff (on rooted phones) and there is some movement in making it into a developed product, e.g. ANTI: http://www.zimperium.com/Android_Network_Toolkit.html
Depends what you're interested in, but as an iOS developer I highly recommend Jonathan Zdziarski's "Hacking and Securing iOS Applications", published by O'Reilly. It's a good primer, and covers a wide variety of both exploits and hacks.
I gave it a quick try with some credit cards I have and it immediately displayed information.