diff --git a/src/apps.js b/src/apps.js
index d3a0e823a..927d42e38 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -2174,20 +2174,18 @@ async function importApp(app, data, auditSource) {
 
     const appId = app.id;
 
-    // all fields are optional
-    data.remotePath = data.remotePath || null;
-    data.backupFormat = data.backupFormat || null;
-    data.backupConfig = data.backupConfig || null;
     const { remotePath, backupFormat, backupConfig } = data;
 
-    let error = backupFormat ? validateBackupFormat(backupFormat) : null;
+    let error = checkAppState(app, exports.ISTATE_PENDING_IMPORT);
     if (error) throw error;
 
-    error = checkAppState(app, exports.ISTATE_PENDING_IMPORT);
-    if (error) throw error;
+    let restoreConfig;
 
-    // TODO: make this smarter to do a read-only test and check if the file exists in the storage backend
-    if (backupConfig) {
+    if (data.remotePath) { // if not provided, we import in-place
+        error = validateBackupFormat(backupFormat);
+        if (error) throw error;
+
+        // TODO: make this smarter to do a read-only test and check if the file exists in the storage backend
         if (mounts.isManagedProvider(backupConfig.provider)) {
             error = mounts.validateMountOptions(backupConfig.provider, backupConfig.mountOptions);
             if (error) throw error;
@@ -2203,18 +2201,18 @@ async function importApp(app, data, auditSource) {
         }
         error = await backups.testProviderConfig(backupConfig);
         if (error) throw error;
-    }
 
-    if (backupConfig) {
         if ('password' in backupConfig) {
             backupConfig.encryption = backups.generateEncryptionKeysSync(backupConfig.password);
             delete backupConfig.password;
         } else {
             backupConfig.encryption = null;
         }
-    }
 
-    const restoreConfig = { remotePath, backupFormat, backupConfig };
+        restoreConfig = { remotePath, backupFormat, backupConfig };
+    } else {
+        restoreConfig = { remotePath: null };
+    }
 
     const task = {
         args: {
diff --git a/src/routes/apps.js b/src/routes/apps.js
index 2f1bfd300..9197126db 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -497,14 +497,14 @@ async function importApp(req, res, next) {
     const data = req.body;
 
     if ('remotePath' in data) { // if not provided, we import in-place
-        if (typeof data.remotePath !== 'string') return next(new HttpError(400, 'remotePath must be string'));
+        if (typeof data.remotePath !== 'string' || !data.remotePath) return next(new HttpError(400, 'remotePath must be non-empty string'));
         if (typeof data.backupFormat !== 'string') return next(new HttpError(400, 'backupFormat must be string'));
 
         if ('backupConfig' in data && typeof data.backupConfig !== 'object') return next(new HttpError(400, 'backupConfig must be an object'));
 
         const backupConfig = req.body.backupConfig;
 
-        if (req.body.backupConfig) {
+        if (backupConfig) {
             if (typeof backupConfig.provider !== 'string') return next(new HttpError(400, 'provider is required'));
             if ('password' in backupConfig && typeof backupConfig.password !== 'string') return next(new HttpError(400, 'password must be a string'));
             if ('encryptedFilenames' in backupConfig && typeof backupConfig.encryptedFilenames !== 'boolean') return next(new HttpError(400, 'encryptedFilenames must be a boolean'));