Please , Read:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/200
This 200 response does not mean whether the user exists or does not exist. Understand the difference.
The return of your script needs to handle:
ok username and password
wrong username or password
Get method is not secure
Use post method and also encrypt the link to the php script URL and also add some API key in your php script and also encrypt the api key in your app also. Do for security it will help you from SQL injection 
can you give an example of the block