diff --git a/src/apps.js b/src/apps.js
index 16f516a1e..0bb77e048 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -648,6 +648,7 @@ function checkAppState(app, state) {
     if (app.taskId) return new BoxError(BoxError.BAD_STATE, `Locked by task ${app.taskId} : ${app.installationState} / ${app.runState}`);
 
     if (app.installationState === exports.ISTATE_ERROR) {
+        // allow task to be called again if that was the errored task
         if (app.error.installationState === state) return null;
 
         // allow uninstall from any state
diff --git a/src/routes/tasks.js b/src/routes/tasks.js
index 49e218536..784c777d4 100644
--- a/src/routes/tasks.js
+++ b/src/routes/tasks.js
@@ -31,7 +31,7 @@ function get(req, res, next) {
     tasks.get(req.params.taskId, function (error, task) {
         if (error) return next(BoxError.toHttpError(error));
 
-        next(new HttpSuccess(200, task));
+        next(new HttpSuccess(200, tasks.removePrivateFields(task)));
     });
 }
 
@@ -47,6 +47,8 @@ function list(req, res, next) {
     tasks.listByTypePaged(req.query.type || null, page, perPage, function (error, result) {
         if (error) return next(BoxError.toHttpError(error));
 
+        result = result.map(tasks.removePrivateFields);
+
         next(new HttpSuccess(200, { tasks: result }));
     });
 }
diff --git a/src/routes/test/tasks-test.js b/src/routes/test/tasks-test.js
index 56e22da0f..325390241 100644
--- a/src/routes/test/tasks-test.js
+++ b/src/routes/test/tasks-test.js
@@ -62,7 +62,7 @@ describe('Tasks API', function () {
                     .end(function (err, res) {
                         expect(res.statusCode).to.equal(200);
                         expect(res.body.percent).to.be(100);
-                        expect(res.body.args).to.eql(['ping']);
+                        expect(res.body.args).to.be(undefined);
                         expect(res.body.active).to.be(false); // finished
                         expect(res.body.success).to.be(true);
                         expect(res.body.result).to.be('ping');
@@ -144,7 +144,7 @@ describe('Tasks API', function () {
                         expect(res.body.tasks.length >= 1).to.be(true);
                         expect(res.body.tasks[0].id).to.be(taskId);
                         expect(res.body.tasks[0].percent).to.be(100);
-                        expect(res.body.tasks[0].args).to.eql(['ping']);
+                        expect(res.body.tasks[0].args).to.be(undefined);
                         expect(res.body.tasks[0].active).to.be(false); // finished
                         expect(res.body.tasks[0].success).to.be(true); // finished
                         expect(res.body.tasks[0].result).to.be('ping');
diff --git a/src/tasks.js b/src/tasks.js
index 485fe8d07..3b7c9279d 100644
--- a/src/tasks.js
+++ b/src/tasks.js
@@ -14,6 +14,8 @@ exports = module.exports = {
     stopTask: stopTask,
     stopAllTasks: stopAllTasks,
 
+    removePrivateFields: removePrivateFields,
+
     // task types. if you add a task here, fill up the function table in taskworker
     TASK_APP: 'app',
     TASK_BACKUP: 'backup',
@@ -267,3 +269,9 @@ function getLogs(taskId, options, callback) {
 
     callback(null, transformStream);
 }
+
+// removes all fields that are strictly private and should never be returned by API calls
+function removePrivateFields(task) {
+    var result = _.pick(task, 'id', 'type', 'percent', 'message', 'error', 'active', 'creationTime', 'result', 'ts', 'success');
+    return result;
+}