Do you control the web service? If not then you will need to use whatever authentication mechanism the web service provides.

If you’re writing the web service yourself, you have a lot of options.

The simplest is to just send the user’s username and password via SSL with every request as a HTTP Authorization: header. The downside here is that you need to keep the username and password stored on the device. That being said, because of the way Android’s permission system works, there’s very little risk of an attacker stealing credentials off of the device, provided the user hasn’t enabled root access.

If you still want to avoid storing the password in plain text, you can send the username/password once (again, using SSL), have the server return an encrypted authorization token, then send that token in place of the user’s username/password. See Google’s ClientLogin for an example of this. An attacker could still steal the token if they have physical access to the device, but at least the attacker can’t use that to gain access to any other sites that use the same password.

There’s other options out there as well, like using challenge/response to prevent the server from ever seeing the user’s password, using OAuth to provide a common authorization API, and so on. It all depends on what your particular requirements are.