1: Do use strong passwords
...For everything mobile. Every. Single. Thing. From your lockscreen to your email, to your app logins. No password should be simple to remember or enter. You've heard this countless times, but it always, always, always bears repeating. First, not having a lockscreen password shouldn't even be considered an option. Second, never use a simple password for this first line of defense. Ever. Make this password (PIN or pattern) as complicated as you can handle. The more complicated your password, the harder it will be for others to get to your data.
2: Do use two-factor authentication on everything possible
Google, Facebook, Amazon: They all offer two-factor authentication. Employing this on each service should not be an option. When these accounts get hacked, bad things happen. You can lose money, you can lose friends, you can lose information. Two-factor authentication can go a long way toward preventing this from happening—and it's not difficult to do. You'll definitely want to make use of the Google Authenticator or Authy to dole out the six-digit keys to get you into your accounts.
3: Do encrypt your device
Yes, your device performance will take a slight hit, but the added security is worth it. Once you've encrypted the device, you'll add an extra required password (during boot) that can't be circumvented. If you purchase a newer Android device (one that shipped with Marshmallow), you're already enjoying full device encryption. To find out if your device is encrypted, go to Settings | Security and look for the Encryption section. If it is listed as Encrypted, you're good to go.
4: Do use a password manager
You shouldn't allow any apps to save your password for you, unless the app is designed specifically for saving passwords. The last thing you want to do is have all your passwords cached on your mobile device. If you lose it (or it gets stolen), all those passwords are there for the taking. Instead of saving the passwords, use a solid password manager (like 1Password). Yes, this will be a bit of an inconvenience, but the added security will be well worth it.
5: Don't skip the updates
There's a reason why apps update, and it's not just for features. Apps update to fix security issues as well. If you don't bother to update those apps, you may leave yourself open to security flaws that could lead to terrible, horrible, no good, very bad... issues. You should always update your apps. The longer you wait, the longer your device stands vulnerable.
6: Do lock your apps
There are apps in the Google Play Store that allow you to secure other apps with passwords. This means you can choose which apps you want to password protect. Once protected, those apps can be opened only after entering the required password. No password, no entry. One of my favorite apps for this purpose is AppLock. It's reliable, easy to use, free, and does the job without adding so many bells and whistles as to complicate the process.
7: Do manage your app permissions
Thanks to Android Marshmallow, managing app permissions is finally in the hands of the end user. This means you can remove permission for an app to, say, access the device mic or camera. For example, you don't want Facebook to be able to use your location. You can now disable that particular feature from the app. To do this, go to Settings | Apps and then tap the gear icon and tap App Permissions. The system is straightforward and does a great job of empowering the user. Just make sure you don't disable permissions for system apps (which are hidden, by default, in the Permissions Manager window).
8: Don't use open Wi-Fi networks
If you're at a coffee shop and its wireless network is not password protected, don't use it—especially if you'll be transmitting sensitive information. If you find yourself faced with an open wireless situation, use your carrier network instead. If you have no choice, use one of the many VPN services available (such as TunnelBear VPN). When using an open network through a VPN connection your data will at least be encrypted and a bit more challenging to abscond with.
9: Don't install apps from a third party
You may be tempted to install that really cool sounding Android app from a third party. Don't. You never know whether that app might contain a dangerous piece of malware that could walk away with your sensitive information. Limit yourself to only installing from the Google Play Store. Even then, read the reviews of the app in question before installing. A few minutes of your time to check into an app (prior to installation) will be well worth the effort.
10: Do add your device with the Device Manager
Google has this handy tool called the Android Device Manager. Once your device is added, you can track it if it's lost—or even remotely wipe it, should you fear that your sensitive data could become compromised. To enable this feature, go to Settings | Google | Security and then tap to switch on both Remotely Locate This Device and Allow Remote Lock And Erase. You should do this immediately with your device. If you don't, and you lose your device, the Device Manager will do you no good.
Bonus tip: Do use the guest account feature
When handing over your device to another user (for whatever reason), make use of the guest account feature. If you pull down the notification shade (on Marshmallow, you must do this twice), you'll see a small icon representing your user account. Tap that icon and you can then add a guest user. Once added, when you hand that device over, tap the user icon to switch to the guest account. Making use of this system means the guest user can't access your data (unless they know your security password/PIN/pattern).