I had the same issue when I updated SDK to version 20. I removed it adding android:exported propery:
<activity
android:name=".MainActivity"
android:exported="false">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<data android:scheme="http" android:host="example.com" />
</intent-filter>
</activity>
inside the activity declaration in manifest. Of course you may specify this if the activity is intended only for application-internal use
The reason it fixes it is found on docs:
android:exported:The default value depends on whether the activity contains intent filters. The absence of any filters means that the activity can be invoked only by specifying its exact class name. This implies that the activity is intended only for application-internal use (since others would not know the class name). So in this case, the default value is “false”. On the other hand, the presence of at least one filter implies that the activity is intended for external use, so the default value is “true”.
Since “Exported receiver does not require permission” (at least the LINT message is clear) ,you got it.