All classified information should always be trafficked in an encrypted form, from where it was typed to the server. You can use the mechanisms available in the operating system and accessible by the device API.

On the server when receiving should immediately transform a hash and discard the original password.

More than just doing cryptography end-to-end, but it is a more complicated process, it creates some difficulties and only applies where it needs a lot of privacy and needs to decrease the area of attack a little more, which does not guarantee anything because the tip can be compromised in several ways.

Responding in a clear and fast way: the password must be encrypted in the application.

Why?

When the application sends the data to the server, nothing prevents this data from being read or intercepted in the middle of the path, such as an attack Man in the Middle. When this data transits through the network in Plain text anyone can read it without much difficulty.

But what if the communication is done using https?

With the use of https between services, the encryption of messages exchanged between points is guaranteed, provided that the certificates and protocols involved are up to date and operational.

Finally, the ideal would be the exchange of messages using end-to-end encryption, as well quoted @Maniero in his reply. However, due to the high cost and complexity, it becomes somewhat difficult to apply. So, for your scenario, a solution close to ideal would be: the information would start from the already encrypted app directly to your server that uses https.