diff --git a/src/routes/apps.js b/src/routes/apps.js
index 52549fb5e..a5de7477a 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -93,9 +93,9 @@ function installApp(req, res, next) {
     var data = req.body;
 
     if (!data) return next(new HttpError(400, 'Cannot parse data field'));
-    if (!data.appStoreId) return next(new HttpError(400, 'appStoreId is required'));
-    if (!data.password) return next(new HttpError(400, 'password is required'));
-    if (!data.location) return next(new HttpError(400, 'location is required'));
+    if (typeof data.appStoreId !== 'string') return next(new HttpError(400, 'appStoreId is required'));
+    if (typeof data.password !== 'string') return next(new HttpError(400, 'password is required'));
+    if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required'));
     if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
     if (typeof data.restrictAccessTo !== 'string') return next(new HttpError(400, 'restrictAccessTo is required'));
 
diff --git a/src/routes/test/apps-test.js b/src/routes/test/apps-test.js
index 4fb21477a..7fb1dfbd5 100644
--- a/src/routes/test/apps-test.js
+++ b/src/routes/test/apps-test.js
@@ -157,6 +157,28 @@ describe('App API', function () {
         });
     });
 
+    it('app install fails - invalid location type', function (done) {
+        request.post(SERVER_URL + '/api/v1/app/install')
+               .query({ access_token: token })
+               .send({ appStoreId: APP_STORE_ID, password: PASSWORD, location: 42, restrictAccessTo: '' })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            expect(res.body.message).to.eql('location is required');
+            done(err);
+        });
+    });
+
+    it('app install fails - invalid password type', function (done) {
+        request.post(SERVER_URL + '/api/v1/app/install')
+               .query({ access_token: token })
+               .send({ appStoreId: APP_STORE_ID, password: 3.52, location: 'ninja', restrictAccessTo: '' })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            expect(res.body.message).to.eql('password is required');
+            done(err);
+        });
+    });
+
     it('app install fails - reserved location', function (done) {
         request.post(SERVER_URL + '/api/v1/app/install')
                .query({ access_token: token })