Their mobile application does or did send their Google GCM API keys to the client, along with a bunch of other bizarre server configuration information. I had no way to report it; I tried sending an email to their WHOIS contact to no avail.

If anyone has successfully reported a vulnerability to them, let me know!