All sensitive information should always be encrypted, from where it was entered to the server. You can use the mechanisms available in the operating system and accessible by the device API.

On the server you should immediately transform a hash and discard the original password .

More than just doing end-to-end encryption , but it's a process more complicated, creates some difficulties and only where it needs a lot of privacy and needs to reduce the area of attack a little more, which neither guarantees anything because the tip can be compromised in various ways.     

Responding clearly and quickly: The password must be encrypted in the application.

Why?

When the application sends the data to the server, nothing prevents this data from being read or intercepted mid-way, such as an attack Man in the middle . When this data travels across the network in plain text, anyone can read it without much difficulty.

But what if the communication is done using link ?

With the use of https between services, it is guaranteed the critography of the messages exchanged between the points, as long as the certificates and protocols involved are updated and operative.

Finally, the ideal would be to exchange messages using end-to-end encryption, as well quoted @bigown in your answer . However, due to the high cost and complexity, it becomes somewhat difficult to apply. So for your scenario, a near-ideal solution would be: information would leave the app already encrypted directly to your server using https.