diff --git a/src/apps.js b/src/apps.js
index cd7ad2def..eb68b0498 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -820,6 +820,18 @@ function configure(appId, data, user, auditSource, callback) {
             values.tags = data.tags;
         }
 
+        if ('icon' in data) {
+            if (data.icon) {
+                if (!validator.isBase64(data.icon)) return callback(new AppsError(AppsError.BAD_FIELD, 'icon is not base64'));
+
+                if (!safe.fs.writeFileSync(path.join(paths.APP_ICONS_DIR, appId + '.user.png'), Buffer.from(data.icon, 'base64'))) {
+                    return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving icon:' + safe.error.message));
+                }
+            } else {
+                safe.fs.unlinkSync(path.join(paths.APP_ICONS_DIR, appId + '.user.png'));
+            }
+        }
+
         domains.get(domain, function (error, domainObject) {
             if (error && error.reason === DomainsError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such domain'));
             if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Could not get domain info:' + error.message));
@@ -908,11 +920,11 @@ function update(appId, data, auditSource, callback) {
                 if (data.icon) {
                     if (!validator.isBase64(data.icon)) return callback(new AppsError(AppsError.BAD_FIELD, 'icon is not base64'));
 
-                    if (!safe.fs.writeFileSync(path.join(paths.APP_ICONS_DIR, appId + '.png'), Buffer.from(data.icon, 'base64'))) {
+                    if (!safe.fs.writeFileSync(path.join(paths.APP_ICONS_DIR, appId + '.user.png'), Buffer.from(data.icon, 'base64'))) {
                         return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving icon:' + safe.error.message));
                     }
                 } else {
-                    safe.fs.unlinkSync(path.join(paths.APP_ICONS_DIR, appId + '.png'));
+                    safe.fs.unlinkSync(path.join(paths.APP_ICONS_DIR, appId + '.user.png'));
                 }
             }
 
diff --git a/src/routes/apps.js b/src/routes/apps.js
index 50da3ba61..bf6441753 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -189,6 +189,7 @@ function configureApp(req, res, next) {
 
     if ('label' in data && typeof data.label !== 'string') return next(new HttpError(400, 'label must be a string'));
     if ('dataDir' in data && typeof data.dataDir !== 'string') return next(new HttpError(400, 'dataDir must be a string'));
+    if ('icon' in data && typeof data.icon !== 'string') return next(new HttpError(400, 'icon is not a string'));
 
     debug('Configuring app id:%s data:%j', req.params.id, data);
 
@@ -326,7 +327,6 @@ function updateApp(req, res, next) {
     if ('appStoreId' in data && typeof data.appStoreId !== 'string') return next(new HttpError(400, 'appStoreId must be a string'));
     if (!data.manifest && !data.appStoreId) return next(new HttpError(400, 'appStoreId or manifest is required'));
 
-    if ('icon' in data && typeof data.icon !== 'string') return next(new HttpError(400, 'icon is not a string'));
     if ('force' in data && typeof data.force !== 'boolean') return next(new HttpError(400, 'force must be a boolean'));
 
     debug('Update app id:%s to manifest:%j', req.params.id, data.manifest);