I will have to agree with @vgarcia here.
Don't reinvent the wheel. There are dozens of off-the-shelf solutions that help you do the login process under the hood and have already implemented security measures.
But if you think you definitely need to build your own login system, send the username and a encrypted version of the password (using one-way encription like md5+salt, which should be kept super-secret; you may even retrieve it from the server dynamically regularly). After your server sends a successful response assume the user is logged in and only do periodical checks/calls to the server to make sure you haven't deleted or deactivated the user remotely (e.g. before every important operation, such as account modifications on the device or adding/deleting transactions if you do a financial app).