The Replicant project is a Free Software-specific fork of Android, which focuses on users’ freedoms, and privacy/security. They try to get Android running without any firmware- or OS-level “blobs”, which gives them technical perspectives that most don’t have. They have a document which gives a decent introduction to mobile device security, including hardware, firmware, OS, and app issues, and about security issues of mobile baseband chips.. The advice is focused for someone using Replicant, but the app advice is applicable to most Android users.
More Information:
Firmware Security 