Yes, this is tricky on Android. You don’t want to store the plaintext password in the preferences, because anyone with a rooted device will basically be displaying their password to the world. On the flip side, you can’t use an encrypted password, because you’d have to store your encryption/decryption key somewhere on the device, again susceptible to the root attack.
One solution I used a while back is to have the server generate a “ticket” which it passes back to the device, which is good for a certain period of time. This ticket is used by the device for all communication, using SSL of course so people can’t steal your ticket. This way, the user authenticates their password on the server once, the server sends back an expiring ticket, and the password is never stored anywhere on the device.
Several three-legged authentication mechanisms, like OpenID, Facebook, even Google APIs, use this mechanism. The downsides are that every once in a while when the ticket expires, the user needs to re-login.
Ultimately, it depends on how secure you want your application to be. If this is simply to distinguish users, and no super-secret information is being stored like bank accounts or blood types, then perhaps saving the PWD in plaintext on the device is just fine 🙂
Good luck, whatever method you decide is best for your particular situation!
Edit: I should note that this technique transfers the responsibility of security to the server – you’ll want to use salted hashes for password comparison on the server, an idea you’ll see in some of the other comments for this question. This prevents the plaintext password from appearing anywhere except the EditText View on the device, the SSL communication to the server, and the server’s RAM while it salts and hashes the password. It’s never stored on disk, which is a Good Thingâ„¢.