Most apps have them and although they are sometimes the bane of a user's existence (primarily because the password is hard to type on a small screen), they're also critically important.
It's est, if possible, to use an e-mail for the user's unique name. This is a piece of information they already know and have at hand. If that's not possible, however, replace Email with Username.
Always have the Password field obscure the characters. This is typically done with dots that replace each character as they are typed. The last character can be displayed, but should only be shown for a short time. Most platforms will give this to you for free as long as you specify that the input field is a Password field.
Sometimes, it's acceptable to have an option to show the password in its entirety. This is typically offered as a checkbox or toggle below the Password field. It's not used very often, and only in circumstances where the password itself may be very complicated. One good example is when entering Wi-Fi information; some devices allow you to see the password as you type it without obscuring the letters since Wi-Fi passwords are painfully complex.
Make the Login or Sign in button obvious. It should beg to be tapped. Give it a different color, larger text—anything to draw the user's attention to it.
Don't forget to give the user a way to reset or retrieve their password (and their username, if you don't use their e-mail). If your app doesn't provide this mechanism, you'll be left with some very upst users.
If it makes sense for your app, you might also want to consider a Remember Me option. This is often used in apps where security isn't quite as important as, say, a bank application. If you don't want to have the app remember the user forever, it's often acceptable to remember the user for a couple of weeks or a month. If you do add this feature, be sure to warn the user about the dangers of using this feature on shared devices and on networks they don't trust.
One final note: use SSL. That is, the login process should be over a secure connection.