diff --git a/src/applinks.js b/src/applinks.js
index 4691c4eaf..60c02d1b4 100644
--- a/src/applinks.js
+++ b/src/applinks.js
@@ -5,7 +5,8 @@ exports = module.exports = {
     add,
     get,
     update,
-    remove
+    remove,
+    getIcon
 };
 
 const assert = require('assert'),
@@ -31,7 +32,7 @@ function postProcess(result) {
     if (result.accessRestriction && !result.accessRestriction.users) result.accessRestriction.users = [];
     delete result.accessRestrictionJson;
 
-    result.icon = result.icon ? result.icon.toString() : null;
+    result.icon = result.icon ? result.icon : null;
 }
 
 async function list() {
@@ -59,9 +60,10 @@ async function add(applink) {
         if (dom.window.document.querySelector('link[rel="icon"]')) {
             const favicon = dom.window.document.querySelector('link[rel="icon"]').href ;
             const [error, response] = await safe(superagent.get(favicon));
-            if (error || !response.text) throw new BoxError(BoxError.BAD_FIELD, 'cannot fetch applink icon');
+            if (error) throw new BoxError(BoxError.BAD_FIELD, 'cannot fetch applink icon');
 
-            applink.icon = response.text;
+            if (response.ok && response.headers['content-type'] === 'image/png') applink.icon = response.body;
+            else debug(`Failed to fetch icon ${response.status}`);
         } else {
             debug(`Cannot fetch icon for ${applink.upstreamUri}`);
         }
@@ -116,3 +118,13 @@ async function remove(applinkId) {
     const result = await database.query(`DELETE FROM applinks WHERE id = ?`, [ applinkId ]);
     if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'Applink not found');
 }
+
+async function getIcon(applinkId) {
+    assert.strictEqual(typeof applinkId, 'string');
+
+    debug(`getIcon: ${applinkId}`);
+
+    const applink = await get(applinkId);
+
+    return applink.icon;
+}
diff --git a/src/routes/applinks.js b/src/routes/applinks.js
index 625a90e98..1877f0383 100644
--- a/src/routes/applinks.js
+++ b/src/routes/applinks.js
@@ -5,7 +5,8 @@ exports = module.exports = {
     add,
     get,
     update,
-    remove
+    remove,
+    getIcon
 };
 
 const assert = require('assert'),
@@ -64,3 +65,12 @@ async function remove(req, res, next) {
 
     next(new HttpSuccess(204));
 }
+
+async function getIcon(req, res, next) {
+    assert.strictEqual(typeof req.params.id, 'string');
+
+    const [error, icon] = await safe(applinks.getIcon(req.params.id, { original: req.query.original }));
+    if (error) return next(BoxError.toHttpError(error));
+
+    res.send(icon);
+}
diff --git a/src/server.js b/src/server.js
index 026ba56eb..adca163ad 100644
--- a/src/server.js
+++ b/src/server.js
@@ -263,6 +263,7 @@ function initializeExpressSync() {
     router.get ('/api/v1/applinks/:id',       token, authorizeAdmin, routes.applinks.get);
     router.post('/api/v1/applinks/:id', json, token, authorizeAdmin, routes.applinks.update);
     router.del ('/api/v1/applinks/:id',       token, authorizeAdmin, routes.applinks.remove);
+    router.get ('/api/v1/applinks/:id/icon',  token,                 routes.applinks.getIcon);
 
     // branding routes
     router.get ('/api/v1/branding/:setting',       token, authorizeOwner, routes.branding.get);