diff --git a/src/applinks.js b/src/applinks.js
index 98ad8135f..9b307e594 100644
--- a/src/applinks.js
+++ b/src/applinks.js
@@ -17,6 +17,7 @@ const assert = require('assert'),
     uuid = require('uuid'),
     safe = require('safetydance'),
     superagent = require('superagent'),
+    validator = require('validator'),
     jsdom = require('jsdom'),
     debug = require('debug')('box:applinks');
 
@@ -129,6 +130,13 @@ async function update(applinkId, applink) {
 
     debug(`update: ${applinkId} ${applink.upstreamUri}`, applink);
 
+    if ('icon' in applink) {
+        if (applink.icon) {
+            if (!validator.isBase64(applink.icon)) throw new BoxError(BoxError.BAD_FIELD, 'icon is not base64');
+            applink.icon = Buffer.from(applink.icon, 'base64');
+        }
+    }
+
     await amendIconAndLabel(applink);
 
     const query = 'UPDATE applinks SET label=?, icon=?, upstreamUri=?, tagsJson=?, accessRestrictionJson=? WHERE id = ?';
diff --git a/src/routes/applinks.js b/src/routes/applinks.js
index 876e14a81..3910a7856 100644
--- a/src/routes/applinks.js
+++ b/src/routes/applinks.js
@@ -22,6 +22,9 @@ async function listByUser(req, res, next) {
     const [error, result] = await safe(applinks.listByUser(req.user));
     if (error) return next(BoxError.toHttpError(error));
 
+    // we have a separate route for this
+    result.forEach(function (a) { delete a.icon; });
+
     next(new HttpSuccess(200, { applinks: result }));
 }
 
@@ -45,6 +48,9 @@ async function get(req, res, next) {
     const [error, result] = await safe(applinks.get(req.params.id));
     if (error) return next(BoxError.toHttpError(error));
 
+    // we have a separate route for this
+    delete result.icon;
+
     next(new HttpSuccess(200, result));
 }
 
@@ -56,6 +62,7 @@ async function update(req, res, next) {
     if ('label' in req.body && typeof req.body.label !== 'string') return next(new HttpError(400, 'label must be a string'));
     if ('tags' in req.body && !Array.isArray(req.body.tags)) return next(new HttpError(400, 'tags must be an array with strings'));
     if ('accessRestriction' in req.body && typeof req.body.accessRestriction !== 'object') return next(new HttpError(400, 'accessRestriction must be an object'));
+    if ('icon' in req.body && typeof req.body.icon !== 'string') return next(new HttpError(400, 'icon must be a string'));
 
     const [error] = await safe(applinks.update(req.params.id, req.body));
     if (error) return next(BoxError.toHttpError(error));