I'd expect you to use a well tested crypto library with a proven track record and people behind it that know what they are doing. Don't roll your own crypto. Ever.
Use proven cipher suits that do what you want them to do, ie, don't shoehorn algorithms over problems that they are not supposed to solve.

For your server communication, don't roll your own protocol, use TLS! Use certificate pinning to verify that the server is who it claims it to be, use a simple HTTP protocol/RESTful API to communicate.

Don't encrypt passwords. Ever. Use a cryptographic hashing and a random salt for every password, don't re-use salts, that's as good as using no salts. Use something like bcrypt to hash the passwords, use enough rounds (10+) and increase over time.

Don't ever trust anything a client sends you. Every client is a lying, cheating bastard, treat them like that! Verify input, use prepared statements when putting the data into your database. Don't store passwords. Discard them once you are done getting the hash out of it.


Edit: Most importantly: Don't listen to Chaos because he knows fuck all what he is talking about. If someone uses "encryption" in conjunction with a cryptographic hash function, laugh at him and then turn your back to them. If they suggest MD5, a hashing algorithm, that is broken since 2007(!), feel some pity for them and their users. SHA512 at the very least. But better yet, something like bcrypt that allows you to increase the rounds and that is deliberately slow. YES, you don't want a throughput of million of hashes per seconds, you want something that is slow, so brute forcing is slow.

Edit2: Jesus Christ, just reread what he wrote... Did he really say that you should hash it ON THE CLIENT?! Chaos, if you don't know what you are talking about, don't talk! Especially not when it comes to cryptography. Jesus. Fucking. Christ.