diff --git a/src/custom.js b/src/custom.js
index f9210a961..ae0ee4935 100644
--- a/src/custom.js
+++ b/src/custom.js
@@ -12,10 +12,6 @@ exports = module.exports = {
 };
 
 const DEFAULT_SPEC = {
-    appstore: {
-        blacklist: [],
-        whitelist: null // null imples, not set. this is an object and not an array
-    },
     subscription: {
         configurable: true
     },
diff --git a/src/routes/appstore.js b/src/routes/appstore.js
index 17e5aac1c..e152bea49 100644
--- a/src/routes/appstore.js
+++ b/src/routes/appstore.js
@@ -12,35 +12,20 @@ exports = module.exports = {
 var appstore = require('../appstore.js'),
     assert = require('assert'),
     BoxError = require('../boxerror.js'),
-    custom = require('../custom.js'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess;
 
-function isAppAllowed(appstoreId) {
-    if (custom.spec().appstore.blacklist.includes(appstoreId)) return false;
-
-    if (!custom.spec().appstore.whitelist) return true;
-    if (!custom.spec().appstore.whitelist[appstoreId]) return false;
-
-    return true;
-}
-
 function getApps(req, res, next) {
     appstore.getApps(function (error, apps) {
         if (error) return next(BoxError.toHttpError(error));
 
-        let filteredApps = apps.filter((app) => !custom.spec().appstore.blacklist.includes(app.id));
-        if (custom.spec().appstore.whitelist) filteredApps = filteredApps.filter((app) => app.id in custom.spec().appstore.whitelist);
-
-        next(new HttpSuccess(200, { apps: filteredApps }));
+        next(new HttpSuccess(200, { apps }));
     });
 }
 
 function getApp(req, res, next) {
     assert.strictEqual(typeof req.params.appstoreId, 'string');
 
-    if (!isAppAllowed(req.params.appstoreId)) return next(new HttpError(405, 'feature disabled by admin'));
-
     appstore.getApp(req.params.appstoreId, function (error, app) {
         if (error) return next(BoxError.toHttpError(error));
 
@@ -52,8 +37,6 @@ function getAppVersion(req, res, next) {
     assert.strictEqual(typeof req.params.appstoreId, 'string');
     assert.strictEqual(typeof req.params.versionId, 'string');
 
-    if (!isAppAllowed(req.params.appstoreId)) return next(new HttpError(405, 'feature disabled by admin'));
-
     appstore.getAppVersion(req.params.appstoreId, req.params.versionId, function (error, manifest) {
         if (error) return next(BoxError.toHttpError(error));
 
diff --git a/src/routes/cloudron.js b/src/routes/cloudron.js
index f5d173022..8e6eb2bd0 100644
--- a/src/routes/cloudron.js
+++ b/src/routes/cloudron.js
@@ -29,7 +29,6 @@ let assert = require('assert'),
     clients = require('../clients.js'),
     cloudron = require('../cloudron.js'),
     constants = require('../constants.js'),
-    custom = require('../custom.js'),
     externalLdap = require('../externalldap.js'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess,
diff --git a/src/routes/settings.js b/src/routes/settings.js
index 1782ff58c..47df4ddae 100644
--- a/src/routes/settings.js
+++ b/src/routes/settings.js
@@ -10,7 +10,6 @@ exports = module.exports = {
 var assert = require('assert'),
     backups = require('../backups.js'),
     BoxError = require('../boxerror.js'),
-    custom = require('../custom.js'),
     docker = require('../docker.js'),
     externalLdap = require('../externalldap.js'),
     HttpError = require('connect-lastmile').HttpError,